While many healthcare organizations have made the switch to using esign systems, others are still unsure of the requirements where HIPAA is concerned. Making the switch to using e-signature systems can be confusing at first, especially where the legalities of an esign are compared to traditional signatures.
Are these electronic versions of signatures the same as signing a physical document? Yes, if the right procedures and mechanisms are put in place to ensure the integrity of the contract, agreement, authorization, or documentation and its legalities. Also, there must be no danger to the integrity of PHI (Protected Health Information). This means it is permissible for entities covered by HIPAA and their business associates to use e-signature systems like mSign to confirm an individual has fully read and agrees to the contents of a document.
Does HIPAA Cover E-Signatures?
Under the initial draft of the 2003 Security Rule addition to HIPAA rules and guidelines, proposals for the use of esign under HIPAA were formulated but excluded before the legislation was passed. To compensate, guidance relating to the exchange of electronic healthcare information and Business Associate Agreements was posted to the U.S. Department of Health and Human Services website.
This guidance states that no standards exist under the HIPAA legislation pertaining to electronic signatures of any kind. In the absence of any specific standards, any covered entities must ensure on their own that any signatures acquired electronically will still result in a legally binding contract per their applicable state or local laws. This guidance has been in use since it was provided, helping healthcare officials secure their patients’ information properly under HIPAA. Learn more information on the HIPAA Security Rule.
Normally, signatures are not required when healthcare transactions are processed for organizations. The real use of e-signatures comes from patients authorizing medical procedures to be performed or healthcare actions to be done and for business associate agreements. Typically, this covers most software companies and cloud platform providers, since their software and platforms often interact directly with PHI. A business associate agreement must be obtained before these services can be used. A BAA must also be signed, which, ironically, makes e-signatures quite convenient for this.
Authorization must still be obtained for any uses and disclosures of PHI not expressly permitted in the HIPAA Privacy Rule. These authorizations can still be obtained in writing during patient visits, there is an increase in overall convenience for the patient to have access to their electronic copies of documents and healthcare information. Of course, this will also mean another e-signature to confirm the patient agreed.
HIPAA’s Required Conditions for E-Signatures
Due to the HHS not prohibiting the use of e-signatures, and they are not mentioned specifically in HIPAA Rules, the signatures are considered acceptable if they are fully compliant with the Uniform Electronic Transactions Act (UETA) and the Federal Electronic Signatures in Global and National Commerce (Federal ESIGN) Act.
The following are the conditions of the ESIGN Act and UETA:
- Legal Compliance. The documents in question should clearly show the terms, the intent of the signatory, and the option to receive printed or emailed copies of the contract, agreement, authorization, or document that they are signing. Said item should also fully adhere to all federal rules for e-signatures. Entities that are covered should also obtain legal advice for any local or state legislation which could also affect the use of e-signatures.
- Ownership and Control. In order to ensure the integrity of PHI, all proof that supports the e-signature should be included with the document under the ownership and management of the covered entity they signed with. This will ensure the safety and security of a patient’s health records that are stored on the covered entity’s servers provided by an e-signature service provider. All digital copies, aside from those given to the signatory, should be destroyed unless there is a business associate agreement entered with the covered entity and the e-signature company.
- User Authentication – Login systems and two-step verification procedures can go a long way towards protecting a person’s private data. This includes healthcare information stored by a covered entity and signed for by e-signature with a patient. Protecting this data is essential for privacy, but protecting access to this data is essential for the patient’s security. Making sure the patient is the one requesting the information protects not just their information but the covered entity from legal repercussions. Secret security questions, two-step verification, password security, and phone or voice authorization can help resolve security issues.
- Non-Repudiation. To prevent the signatory from denying having completed an agreement with the covered entity, e-signatures under HIPAA Rules should always come timestamped. This leaves a clear audit trail to follow, showing the dates, location, time, and chain of custody for the document and agreement being signed. This ensures that patients are not forced into signing something they do not agree with, but also helps protect covered entities from patients denying they signed for procedures they received. This also helps to legally enforce contracts signed by the signatory. One further step is to provide the signatory with printed or emailed copies as proof they did sign the contract.
- Message Integrity. Another form of security for both the signatory and the covered entity is to provide a system that stops digital tampering of the signed agreement after its completion. This step must be implemented to ensure the document’s integrity during both transit and rest. It should also be given the same level of importance as the HIPAA Security Rule for e-communications.
If these conditions are followed properly, the security of a patient’s medical information should never be in question. Nor should the question of an organization’s capability to be able to protect said information and their integrity to do so.
Esignatures certainly have their benefit for efficiency and security. They can also pose the risk of increased medical mistakes and fraud opportunities. Depending on the nature of the transaction and the reason for the e-signature, the dangers will be different. Conducting risk assessments before deciding whether e-signatures are right for your organization will help with your decision.