It’s safe to say that not many patients — if any — like sitting in a doctor’s office with a clipboard and a bunch of paperwork. And once that paperwork is filled out, staff have to scan or manually enter information from those paper forms. It’s inefficient and time-consuming, and it’s why more and more practices are using digital forms and e-signatures.
With digital forms and e-signatures, patients can electronically fill out the forms at home on their computer or phone, and data is sent to the healthcare provider automatically, enabling electronic medical records from the start.
The healthcare sector is legally allowed to use e-signatures but only if they conform to Health Insurance Portability and Accountability Act (HIPAA) regulations as specified by the federal government. HIPAA is a federal law that stipulates national standards and oversees the protection, security, and privacy of patient information.
But what does it specifically say about HIPAA electronic signatures?
Does HIPAA mention electronic signatures?
In 2003, HIPAA enacted a Security Rule that was supposed to contain guidance about the use of e-signatures in the healthcare industry. However, all mention of e-signatures was removed before the legislation was enacted.
Afterward, the U.S. Department of Health and Human Resources published guidance relating to business associate agreements (BAAs) and the exchange of electronic health information that states
No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.
In many cases, a signature isn’t required, such as for transactions that disclose protected health information (PHI) for treatment or payment. However, when a signed authorization is required for a disclosure of PHI that isn’t permitted by the HIPAA Privacy Rule — such as if PHI is disclosed to a third party for research purposes — there are specific conditions that must be met.
Conditions required for HIPAA electronic signatures
E-signatures must also comply with the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA).
The contract, document, agreement, or authorization has to comply with the federal rules for e-signatures and must clearly demonstrate the terms and intent of the parties who have signed the agreement. In addition, the signatory must have the option to receive a printed or emailed copy of the contract. Covered entities should seek legal advice about any state or local laws that might also determine whether or not e-signatures should be used under HIPAA rules.
To prevent disputes about whether the person who entered into the agreement actually had the authority to do so, covered entities must put a system in place to validate the identity of all participating parties. Mechanisms such as two-step verification, completing “secret knowledge” questions, adapting specialized e-signature software, and phone/voice authorization can all help resolve this problem.
Keeping all PHI secure and safe is of the utmost importance, which is why covered entities must put a system in place to prevent digital tampering and ensure the integrity of the agreement before, during, and after use. This condition is similar to the safeguards of the HIPAA Security Rule and should be treated with the same level of importance.
In an effort to ensure that any involved party can’t deny having completed the agreement, e-signatures used under HIPAA rules should have a time-stamped audit trail to ensure that contracts are legally enforceable and that parties can’t later argue the authorization to share PHI.
The audit trail should show dates, times, locations, and the chain of custody. In addition, providing the signatory with a printed or emailed copy of the document can help to prevent repudiation.
Ownership and control
The final condition for HIPAA-compliant e-signatures involves copies of signed documents that reside on the servers of e-signature service providers. All of the evidence supporting the e-signature should be on the same document under the ownership and control of the covered entity to ensure the integrity of PHI. Any other copies that exist — with the exception of those provided for the signatory — should be digitally shredded.
Using HIPAA-compliant e-signatures
It’s critical that the conditions necessary for e-signatures under HIPAA rules are met before e-signatures are used for any communications involving a patient’s PHI. When the correct mechanisms are put in place to ensure there is no risk to patient PHI, e-signatures are an efficient and convenient way to streamline processes, saving time and increasing patient satisfaction.