It’s safe to say that not many patients — if any — like sitting in a doctor’s office with a clipboard and a bunch of paperwork. And once that paperwork is filled out, staff have to scan or manually enter information from those paper forms. It’s inefficient and time-consuming, and it’s why more and more practices are using digital forms and e-signatures.
With digital forms and e-signatures, patients can electronically fill out the forms at home on their computer or phone, and data is sent to the healthcare provider automatically, enabling electronic medical records from the start.
The healthcare sector is legally allowed to use e-signatures; however, they must comply with the Health Insurance Portability and Accountability Act (HIPAA), a federal law that stipulates national standards for the protection, security, and privacy of patient information.
But what does it specifically say about HIPAA electronic signatures?
Does HIPAA mention electronic signatures?
When the HIPAA Security Rule was enacted in 2003, it was supposed to contain guidance about the use of e-signatures for healthcare providers, but the regulation was vague.
The U.S. Department of Health and Human Resources later stated that
No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.
While HIPAA doesn’t dictate a particular standard for e-signatures, there are other laws that do, including the Uniform Electronic Transactions Act (UETA) and the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act). Healthcare providers must comply with these laws in order to use e-signatures.
Conditions required for HIPAA electronic signatures
In the healthcare industry, patient signatures aren’t usually required for transactions. But there are certain cases where signatures are necessary, namely patient authorizations and BAAs (business associate agreements). If you opt to use e-signatures in these cases, you must meet certain conditions to ensure HIPAA compliance.
Compliance with various legal requirements
The document being signed with an e-signature must meet federal e-signature laws and clearly outline the agreement between the two parties. The signatory must receive a copy of the signed agreement either in printed or digital form (via email).
There are also varying laws regarding e-signatures for different states and localities, so it’s wise for covered entities to consult with a lawyer to make sure they’re in compliance with specific local e-signature laws.
Authorization of users
It’s necessary to validate the identity of the individuals who sign the agreement. This prevents people from signing contracts when they aren’t authorized to. The methods that help ensure user authorization include two-step authentication, identifying questions, and voice verification by phone.
Ensuring the integrity of e-signatures
Keeping all PHI secure and safe is of the utmost importance, which is why covered entities must put a system in place to prevent digital tampering. The easiest way to ensure integrity of e-signatures is to safeguard their use, similar to the way that the HIPAA Security Rule protects PHI.
An accurate audit trail for e-signatures, including time stamping, is vital to ensure that any involved party cannot deny that they signed an agreement. This audit trail makes the e-signature enforceable on a legal level, so that parties can’t later argue the authorization to share PHI.
An audit trail needs to show several key things: dates, times, locations, and the chain of custody (i.e., who has had access to the file). The signed document must be given to the person who signed it to help avoid non-repudiation issues.
Control and ownership of the documents
To protect the integrity of PHI, evidence for e-signatures must be under the control and ownership of the covered entity. The only other entity that should have any copies of the signed agreement is the signatory (business associate). Your e-signature service provider needs to digitally wipe all copies of signed documents from their servers.
Make all e-signatures HIPAA compliant
Before using e-signatures for any communications that involve PHI, healthcare providers must implement safeguards to follow all applicable laws. It may be a good idea to consult with a lawyer for legal advice.
When you put mechanisms in place to ensure the safety of patient PHI, e-signatures are an efficient and convenient way to streamline processes, saving time and increasing patient satisfaction.