Are E-Signatures Valid Under HIPAA Guidelines?

By Concord Editorial   Mar 29, 2016

3-29-2016 | by Ben Fleshman


E-signatures are used in much of the business world, and their use is increasing daily. While some industries are legally exempt from using e-signatures, the majority are not. The Healthcare industry is one of the fortunate industries that is legally permitted to use e-signatures, but only given that they meet certain criteria as dictated by the national government in HIPAA.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a bill passed by President Bill Clinton in 1998 which governs data privacy and security provisions that safeguard private health information.

Title II of HIPAA is typically what most people refer to when discussing “HIPAA compliance.” Title II is also known as the Administrative Simplification provision, and includes guidelines for:

  • National Provider Identifier Standard
  • Transactions and Code Sets Standards
  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Enforcement Rule

Not all of these rules apply to electronic signatures, but this is the section where electronic signatures play the biggest role, as they are being used to verify the identity of someone seeking to access private records.

All health care information is carefully protected from prying eyes by law, but the Privacy Rule does allow patients to access their healthcare data upon request.

In order to access their information, a patient must comply with the Omnibus Rule, or the rule which dictates that a patient must sign a document to affirm their agreement to receive marketing communications. This step is essential, for without a written consent form a patient cannot view their private health information. This is done to protect the patient’s information.

 How do E-Signatures Fit In?

Previously, only paper signatures would have been legally acceptable. With the passage of UETA and ESIGN laws in the United States, however, electronic signatures have become legally binding throughout the nation.

E-signatures can be legally used to sign contracts, agreements, and even consent forms. Virtually any place where a paper and pen signature could be used, an electronic or digital signature can be substituted. There are exceptions, however, although health care documents are not on the list of exceptions. Instead, the government, through the guidelines established in HIPAA, has allowed e-signatures to be used given that certain criteria are met.

What Does HIPAA Require Regarding E-Signatures?

            Originally, HIPAA had some provisions for e-signatures, but by 2003, the law had been modified to no longer include any provision for, or discussion of, e-signatures.

Since then, however, guidelines have been established regarding e-signatures and healthcare. First, in order for the digital signature to be valid, the patient must consent to its use and enter into a contract with their healthcare provider.

This process must be fully documented and include a two-factor method for identity authentication (such as a password or a photograph of some kind). In addition to this, the HIPAA Journal states that “Independent e-signatures should be used which contain all of the evidence supporting the signature in the same document, rather than one document being held by the CE and the other by the vendor of the e-signature.”

Electronically signed documents, as well as the requested health information, are required to be secured appropriately to prevent unauthorized access. The signature must be encrypted and tamper-proof, or at the very least tamper-evident, so as to prevent anyone from altering or forging a signature.

This means that healthcare providers can legally utilize e-signatures under HIPAA guidelines, so long as the previously mentioned criteria is met.

Other blog posts