Healthcare professionals find digital signatures to be of great benefit in their daily operations. The use of the signatures increases the efficiency of many administrative tasks, but countless practitioners remain hesitant to use them. They don’t understand the requirements and worry they won’t be in compliance. How can a practice find electronic signature software that’s compliant with all HIPAA requirements?
The practice must ensure the security and legality of any document signed electronically. Furthermore, they must guarantee the integrity of the protected health information. When the software meets these two requirements, the practice is free to use digital signatures as proof that a document has been read and the signer agrees to its contents. What do healthcare professionals need to know about hipaa compliant digital signature rules before proceeding with the purchase?
E-Signatures and HIPAA
Medical practitioners often turn to the 2003 Security Rule to learn what is required for the use of e-signatures in their practice. Unfortunately, the information they need to ensure they remain in compliance won’t be found here. Proposals for the signatures were initially in the legislation but were later removed. The U.S. Department of Health and Human Services later issued a statement saying healthcare providers could use electronic signatures if they would result in a contract that is legally binding under applicable law.
Many healthcare transactions require no signature. Nevertheless, two situations arise when a signature is needed, and digital signatures become of great help. What are these situations?
Business Associate Agreements
A software company or cloud platform provider is considered a business associate of an entity covered by HIPAA when its platform or software comes into contact with protected health information. Before the service can be used, the software or cloud platform provider must sign a business associate agreement. This agreement may be signed using digital signatures.
Protected Health Information Release
Any use or disclosure of protected health information that is not allowed under the HIPAA Privacy Rule requires prior authorization from the patient. A practitioner may obtain this authorization in writing during a patient visit or have it signed electronically. Many practitioners find an electronic copy to be easier and more convenient when they need to confirm the patient’s authorization.
HIPAA E-Signature Conditions
E-signatures remain allowed as long as they comply with the Federal Electronic Signatures in Global and National Commerce Act and the Uniform Electronic Transactions Act. The document must be in legal compliance, and user authentication must occur. Practitioners must also protect the integrity of the message from digital tampering and put measures into place to ensure the e-signature comes with an audit trail. This becomes of importance if the patient repudiates the document.
Furthermore, the healthcare practitioner must retain ownership and control of signed documents. Other than the practitioner, the only person who should have a copy of the document would be the signer. Other copies, including those on the digital signature software provider’s server, are to be destroyed. The only exception to this is when the covered entity has a business associate agreement with the software provider.
Healthcare providers find e-signature technology comes with many benefits. Nevertheless, care must be taken to ensure mistakes aren’t made and the practice doesn’t become a victim of fraud. The type of transaction determines the risk. For this reason, the covered entity needs to complete a risk assessment to determine where electronic signatures should be used and where they must be avoided. If a digital signature service provider cannot be of assistance with these tasks, the healthcare professional must look elsewhere.