Conditions for Using E-Signatures Under HIPAA Rules

Using digital signatures in the medical sector has enhanced the effectiveness of a lot of procedures. But do the HIPAA rules allow e-signatures? The quick answer is “yes”, but only if the systems are set up to make sure the legality and protection of the document, contract, authorization, or agreement, and the integrity of PHI are not at risk.

What is Allowed by HIPAA Concerning E-Signatures?

Suggestions for using e-signatures as per HIPAA rules were integrated into the initial draft of the 2003 Security Rule, however, it was taken out prior to the approval of the legislation. Succeeding guidance associated with the Business Associate Agreements and the sharing of electronic health information was posted on the website of the U.S. Department of Health and Human Resources stating that there are no existing standards as per HIPAA regarding electronic signatures. Without particular standards, covered entities should make sure the use of any electronic signature will create a legally binding agreement covered by applicable State or other legislation.

In general, a lot of medical transactions that share PHI for a procedure or payment do not require a signature. Therefore, there is a question of whether using e-signatures as required by the HIPAA rules becomes repetitive. Nonetheless, when a signed authorization is necessary for a PHI disclosure not allowed by the HIPAA Privacy Regulation – for instance for marketing or research uses – there must be particular conditions in place.

The Conditions Requiring E-Signatures as per HIPAA Rules

The conditions required for e-signatures as per the HIPAA rules likewise must consider the Uniform Electronic Transactions Act (UETA) as well as the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act). The conditions are:

Legal Compliance. The contract, document, agreement, or authorization should not just adhere to the federal regulations for e-signatures, they must likewise clearly show the terms, clearly show the purpose of the signatory, and the choice must be available for the signatory to get a printed or digital copy of the agreement. Covered entities are likewise instructed to get legal counsel concerning any state or local legislation that could likewise ascertain if e-signatures may be applied under HIPAA regulations.

User Authentication. Covered entities need to carry out a system to confirm the identity of parties doing transactions so as to prevent conflicts regarding whether the individual who signed the agreement really had the power to do this. Systems like two-step verification, responding to “secret knowledge” questions, using specialized e-signature software programs and telephone/voice authorization could address this problem.

Message Integrity. A system to avoid digitally tampering with the contract after it is signed should be in place to protect the integrity of the signed agreement both in transmission and storage. This condition is quite identical to the safety measures of the HIPAA Security Rule and ought to be given a similar degree of gravity. OCR Inspectors might be searching for e-signature risk testing and a high degree of integrity in all aspects when doing the following stage of HIPAA audits.

Non-Repudiation. So as to make certain that the signatory is unable to refute having signed the contract, e-signatures used as per HIPAA policies ought to have a timestamped audit trail showing times, dates, places and the chain of custody. This will make sure that agreements are lawfully enforceable and that PHI disclosure authorization can’t be argued later. Giving the signatory a printed or digital copy of the file is one way to prevent repudiation.

Ownership and Control. The last condition for using e-signatures under HIPAA deals with copies of signed files located on the servers of service providers of e-signature. For a covered entity to be sure of PHI integrity, all of the proof supporting the e-signature must be on the same record owned and controlled by the covered entity. Any other copies – other than those presented to the signatory – ought to be digitally deleted.

Carry out a Risk Evaluation to Determine If E-Signatures Can be Utilized under HIPAA Rules

Using e-signature technology has benefits, however, it’s possible to bring up medical errors and the likelihood of fraud. The level of threat will differ depending on the nature of the transaction, and it is recommended for covered entities to perform a risk analysis prior to making a decision to use e-signatures under HIPAA rules in their specific setting.

It is significantly vital that the conditions required for e-signatures under HIPAA rules are resolved by a covered entity prior to adopting e-signatures for any critical communications wherein it affects the individually identifiable protected health information of a patient.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at