The Department of Health and Human Services has not issued specific guidance about what makes an electronic signature HIPAA compliant other than stipulating “any electronic signature used will result in a legally binding contract under applicable State or other law”. However, this may soon be about to change.
In the original text of the Health Insurance Portability and Accountability Act (HIPAA), the Secretary for Health and Human Services is instructed to adopt standards for electronic transmissions of Protected Health Information (PHI) and standards for electronic signatures for Part 162 transactions.
The standards for electronic transmissions evolved into the Security Rule, but standards for HIPAA compliant electronic signatures didn’t make it past the proposal stage due to “a lack of technical maturity and stakeholders’ lack of readiness to implement electronic capture”.
The problem at the time was that – in order to make an electronic signature HIPAA compliant – the electronic signature software had to be capable of ensuring authenticity, message integrity, and nonrepudiation in an open network environment.
Although digital signature software had these capabilities, the software was new to the market. Adopting the new technology would have incurred significant initial and ongoing costs for healthcare providers and health plans, so the proposal was dropped.
The Use of E-Signatures in Healthcare
Despite the lack of specific guidance about what makes an electronic signature HIPAA compliant, the use of e-signatures in healthcare developed over time – not only for signing Part 162 transactions, but also for confirming user credentials, creating EHR audit trails, and e-prescribing.
Following HHS guidance that electronic signatures could be used to sign Business Associate Agreements, other uses of e-signatures in healthcare developed to include many that are governed by the Privacy and Security Rules. These include, but are not limited to:
- Remote acknowledgement of receipt for a Notice of Privacy Practices.
- Obtaining patient consent when an opportunity to agree or object exists.
- The verification of a patient’s identity prior to a telehealth consultation.
- Acknowledgement of procedural risks prior to a medical procedure.
- Remote authorizations from individuals with medical Power of Attorney.
- The revocation of an authorization by an individual or their personal representative.
- Employee attestation they have attended or completed HIPAA training.
When the use of e-signatures in healthcare involves the use or disclosure of PHI (or the creation of PHI in the case of registering for a HIPAA compliant electronic signature), it is important Covered Entities comply with the Privacy and Security Rules to maintain the confidentiality of PHI.
CMS’ Proposed Electronic Signature HIPAA Compliant Standard
The reason that guidance about what makes an electronic signature HIPAA compliant may be about to change is that, in December 2022, CMS published a proposed rule which would add three new transaction codes to Part 162 in order to account for healthcare attachment transactions.
Healthcare attachment transactions are transactions when a provider is required to provide additional information to support an authorization request or claim for payment; and, in most cases, the additional information (or attachment) is sent separately from the original transaction.
Because attachments cannot be sent with the original transaction codes, they are most often mailed or faxed. This can cause delays in obtaining authorizations, administering treatments, and receiving payments, and this is what CMS is hoping to resolve with the new transaction codes.
However, because of the risk of theft and fraud, when a healthcare attachment transaction is submitted by a provider it must be digitally signed to authenticate the sender, guarantee the integrity of the message, and ensure the transaction cannot repudiated or disputed by the originator.
The use of an electronic signature for healthcare attachment transactions is not mandated because attachments can still be mailed or faxed. However, if an electronic signature is used – and CMS’ proposed rule is finalized – the signature will have to comply with the electronic signature HIPAA compliant standard.
Why the Standard Might be Extended to Other Transactions – and Beyond
When a standard for HIPAA compliant electronic signatures was proposed in the text of HIPAA, the intention was to apply the standard to all Part 162 transactions. While the current proposals are to apply an electronic signature HIPAA compliant standard to just three transactions, it is possible the standard may be extended to all transactions – and beyond.
This is because the 2020 Interoperability and Patient Access Final Rule and the subsequent Advancing Interoperability Proposed Rule advocate allowing patients to connect to PHI record sets via an app of their choice and not only being able to access their medical histories, but also information relating to authorizations for treatments – both approved and denied.
If patients are given access to the full range of information via an app of their choice, it raises two challenges. The first is making sure the information being accessed is accurate, and the second is overcoming potential security risks attributable to apps lacking basic security measures such as user authentication, encryption, and safeguards against reverse engineering.
A universal electronic signature HIPAA compliant standard can help overcome both these challenges by increasing accountability for the accuracy of PHI data sets and ensuring a person remotely logging into a PHI data set is who they say they are. While these measures may still be some time away, it is something Covered Entities should consider if implementing or upgrading electronic signature software.