Ink and paper are losing momentum in healthcare, where they are increasingly exchanged for the convenience and low expenses of digital technology. E-signatures are the catalyst for this revolution, facilitating EHR use and the fast and mobile processing of prescriptions, medical orders, patient information release forms and other ways of streamlining and expediting medical and administrative processes.
Consider, according to Manhattan Research:
[See also: Apple makes ResearchKit open source]
- 81 percent of U.S. physicians own an iPad
- 85 percent of U.S. physicians own or use a smartphone professionally
- 39 percent of U.S. physicians communicate online with patients
But this digital ubiquity supported by e-signatures inevitably raises concerns about cyber vulnerability – particularly as it applies to protected health information (PHI) guarded by the Health Insurance Portability and Accountability Act (HIPAA). As the Office of Civil Rights (OCR) ramps up for Phase II of its HIPAA Audit Program, covered entities must stay vigilant to ensure that their information management polices – including their standards for e-signature usage – are HIPAA compliant.
Ambiguity abounds for HIPAA best practices
While HIPAA is clear that PHI is to be staunchly defended, it's much less specific about the acceptable uses of e-signatures. Originally part of the HIPAA Security Rule in a 1998 draft, all mentions of e-signatures were removed prior to final approval in 2003. This left healthcare organizations to infer requirements from the remaining contents of the HIPAA text.
According to the HIPAA Privacy Rule, “…currently, no standards exist under HIPAA for electronic signatures. Thus, in the absence of specific standards, covered entities should ensure any electronic signature used will result in a legally binding contract under applicable state or other law.”
Without this guidance, it's up to the healthcare provider to ensure that the e-signature technology complements and fortifies its HIPAA integrity. While e-signatures alone can't make a healthcare organization HIPAA compliant, using the right e-signature solution can provide the mobility desired – even demanded — in today’s digitally driven space, while serving as a tool to enhance overall PHI security.
Enabling HIPAA compliance through independent e-signatures
While HIPAA does not mandate the use of e-signatures or a particular type of technology used for e-signatures, use of independent e-signature technology can support HIPAA compliance by providing the following:
Legal compliance: Independent e-signature technology creates legally binding contracts by requiring users to consent to the use of e-signatures, clearly identifying the intent of the signer to sign on the document and logically associating the signature with the document itself. This supports federal and state laws regarding electronic signatures, including the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA).
Message integrity: E-signed documents containing PHI must maintain their integrity throughout their lifecycle. E-signatures that can be classified as independent – meaning they are digitally encrypted and the legal evidence behind the signature is embedded directly into a document, as opposed to linking to evidence stored on an external server – protect the integrity of PHI in documents, as does the tamper-evident feature of independent e-signatures.
Non-repudiation: For robust security that is consistent with the purpose of HIPAA, independent e-signature technology provides undeniable legal evidence supporting the validity of each signature. The detailed digital audit trails that are integral to independent e-signatures provide immediate, transparent records of the entire signing process and are essential to avoiding repudiation of the signing process.
User authentication: The identity authentication technology used by independent e-signatures can also prevent unauthorized parties from accessing, viewing or otherwise compromising healthcare documents and data. As is the case with e-signatures, specific regulations for identity authentication aren’t found in HIPAA, but the spirit of the law prioritizes rigorous security efforts, which can be extended to user authentication. Technology such as two-factor authentication – such as a password and a one-time PIN sent via text message before granting access to documents – can be used to confirm that only the right eyes have access to documents. User authentication technology can even request closely held information and match it with information in public databases, to provide the highest level of identity assurance.
Ownership and control: Independent e-signatures also support HIPAA compliance by existing independently of the e-signature vendor. Because the evidence behind the signature is embedded in the signed document, there is no need for a PHI-laden document to exist on two servers – one owned by the healthcare organization and one by the e-signature vendor. There is only one signed document, and it can rest solely in the hands of a covered entity with any other copies digitally shredded. With the overwhelming potential for an external breach to compromise documents with PHI, such ownership and control are valuable tools for achieving HIPAA compliance while still enabling mobility.
Independent e-signatures can allow healthcare administrators to reap the real benefits of mobility, cost-savings and efficiency. By understanding where to exercise due diligence in the framework of the technology itself, providers can use e-signatures to facilitate HIPAA compliance during a time in which the importance of such compliance cannot be overstated.
John Harris is the senior vice president of product management at SIGNiX, an electronic signature solutions provider.