Digital Signatures in Healthcare: Are They Truly Compliant?

Learn the ins and outs of signing electronic health records and other documents so that they comply with HIPAA and hold up in court.

(Updated May 6, 2020)

If you practice telehealth, keep electronic medical or health records (EMRs/EHRs), or conduct business with parties over a long distance, you’ve probably “signed” notes or documents digitally. Often, this requires merely logging in, clicking a button, or typing your name.  

It’s often so easy, in fact, that it doesn’t feel like it carries the same weight as a handwritten signature. Thus, you may wonder: does the law recognize this digital signature as valid? Is it HIPAA compliant?

Electronic Signatures vs. Digital Signatures

First, let’s start with some definitions. An electronic signature is any signature created or captured through a computer or other electronic device.  Electronic signatures (also called e-signatures) can include touch-sensitive screens where you use your finger or a stylus to sign your name as you would on a paper document.  Electronic signatures can also include forms where you merely type in your name and perhaps other identifying information, then check a box stating that you intend to sign the document.

Digital signatures introduce another level of authenticity by using a cryptographic operation to bind the signature and the data being signed. It creates a unique fingerprint that cannot be duplicated and authenticates the document with a digital code. This is done through the Public Key Infrastructure (PKI), which is a set of requirements that allow (among other things) the digital signatures to be unique and secure.

Once a document is digitally signed, it is locked in. Locking a document means no additional signatures, annotations, or form fill-ins will be allowed. If the document is changed at any time after signing, the signature is considered invalid.

Note that some EMRs and EHRs do not ask you to physically sign the chart upon viewing. The program knows you were the one who logged in, and it will record that you have entered into the note. In fact, these programs’ processes for logging who has accessed patient records is often the basis for discovering HIPAA breaches. 

The Laws of Digital Signing

The federal government has developed laws to regulate how electronic signing works in healthcare. The federal government first recognized the validity of electronic signatures with the United States Electronic Signatures in Global and National Commerce (ESIGN) Act. Then came the Uniform Electronic Transactions Act (UETA), which is meant to blend state laws regarding the validity of electronic signatures.  Most states have adopted UETA, while a handful of states (such as Illinois) have enacted their own electronic signing laws.

ESIGN and UETA both have 4 requirements for an electronic signature to be valid:

1. There must be an intent to sign – like traditional ink signatures, it is valid only if each party intended to sign the document.
2. The parties must consent to do business electronically. Electronic records may be used in transactions with consumers only when the consumer has:
   • Received UETA Consumer Consent Disclosures
   • Affirmatively agreed to use electronic records for the transaction
   • Has not withdrawn such consent
3. Association of signature with the record –the system used to capture the transaction must keep an associated record that reflects the process by which the signature was created, or generate a textual or graphic statement (which is added to the signed record) proving that it was executed with an electronic signature
4. Record retention – electronic signature records must be retained and accurate reproductions must be available for reference by all parties or persons entitled to retain the contract or record

Keep in mind that HIPAA still applies regarding ESIGN. For a patient’s privacy to be protected under HIPAA, there are three crucial requirements:

1. The patient must consent to its use and willingly enter into an agreement with the healthcare provider.
2. The process must be completely documented and include a 2-factor technique for identity authentication (such as a photograph or password of some kind). This is to avoid debates as to whether the patient had a right to enter into the contract.
3. Message integrity must be observed. The medical documents are required to be secured properly to prevent unauthorized access. The signature should be encrypted and locked to ensure no tampering or forging of signatures.

Digital signatures are key to adding extra security when dealing with PHI and are incredibly beneficial. Digital signatures create a digital fingerprint through encryption technology, which is not available in inked signatures. The PKI is a high standard that will effectively secure your data, and digital signatures have global acceptance. Digital signatures also allow for long-term retention and access, as well as independent verification.

Digital Signatures and Online Patient Forms (HIPAA forms, registration packet, etc.)

If your practice is using a telehealth platform, the ability for your patients to digitally sign consent forms should be available to you. However, for a patient’s signature to be legally enforceable, the signature must conform to HIPAA, ESIGN, and UTEA requirements.

There are tons of options to choose from. Normally, the vendor that you choose to help you transition to telehealth will let you upload your own consent and HIPAA forms to be digitally signed, or they can work with your practice and create electronic forms to provide to patients.

A few more things to consider as you transition your practice to telehealth:

1. Make sure you understand who has access to and owns data created during patient telehealth visits.
2. Understand the pricing structure of your telehealth vendor.
3. Confirm with your EHR (or EMR) vendor that your practice is suited to move to telehealth, even temporarily.

Also of note, because of the ongoing COVID-19 pandemic, the federal government’s Office for Civil Rights (OCR) has announced that they will not impose penalties on physicians providing telehealth services that don’t comply with all HIPAA requirements. As long as the physician is providing telehealth care in good faith, the OCR is willing to be flexible during this public health emergency. (For more information, see “HIPAA Changes Amid COVID-19: Fact vs. Fiction.”)

The link below provides suggestions for telehealth vendors that are sponsored by the AMA.

https://www.ama-assn.org/practice-management/digital/ama-quick-guide-telemedicine-practice

Executing Employment Contracts 

Under federal regulations UETA and ESIGN, electronic signatures are considered as valid as traditional “wet” signatures. Employers should take measures to ensure that these electronic signatures will be enforced in the event of litigation. First, employers and employees should agree separately from the actual employment contract to e-sign the document. Employers should provide the employee access to sign the contract with a unique log-in and password that the employee creates and only they know. In addition, like under HIPAA’s requirements, the e-signature should also include information that attributes the signature to the employee, such as an IP address or a time stamp.

Power of Attorney and Digital or Electronic Signatures

Medical power of attorney is regulated by state law. For example, in Illinois, a healthcare power of attorney document can be signed using an electronic signature as long as each signer has a unique personal identifier and complies with security requirements for digital or electronic signatures. To further simplify things, the State has provided a short form that can be used to dictate a healthcare power of attorney.

Electronic or Digital Signatures and Real Estate Transactions

If you’re closing on a commercial building purchase, can you execute the closing documents with a digital signature? It depends on the state that your practice is purchasing property in. 

The UETA governs the use of electronic signatures within states that have ratified this regulation, like California. The ESIGN Act is federal law and therefore governs transactions across state lines and within states. The Uniform Real Property Electronic Recording Act (URPERA) was developed as a response to the nationwide legislation giving legal effect to electronic signatures. URPERA has been enacted in 33 states, Washington D.C., and the U.S. Virgin Islands.

However, purchasing real property often involves documents, like deeds and mortgages, that need to be physically recorded in local land records to protect property owners. In response, the URPERA created a framework for recording offices to accept electronic signatures, but it does not require them to do so. 

Each state has created its own framework for documents that may be submitted electronically and other documents that must be physically submitted. For example, in Illinois, county recorders may accept electronic documents and paper documents and convert paper documents into electronic copies without any differentiation under state law.

Online/Digital Notary Services

Usually, in order to have a document notarized, the notary must witness the execution of the document in person and verify the credentials of the individuals. However, because of the ongoing COVID-19 pandemic, emergency regulations have been put into place. For example, in conjunction with the state shelter in place order, remote notary services are being authorized to be performed by notary publics by the Illinois Secretary of State.

Remote notary services include: taking an acknowledgment, administering an oath or affirmation, and certifying a true and correct copy. These acts can be performed remotely using real-time audio-video communication or through an electronic platform that meets notary industry standards.

Summary

There are many digital and e-signing solutions available. However, not all services comply with HIPAA, ESIGN, and UTEA. Before adopting any service, verify compliance with the rules that apply to your specific practice. 

• You must first ensure that signers are authenticated.
• You’ll need to offer the necessary disclosures and obtain consent from signers that they understand what they are signing and that they are providing a legally binding signature.
• The signer must know the signature is legally binding, and the document must be secure from tampering. 
• All signers should have access to the document when it is being signed.
• All should be documented so that if you are ever taken to court, you have everything easily available.

Of course, any substantial changes to the way you manage patient documents should trigger a HIPAA risk assessment. To ensure that you meet this high bar, we recommend that you consult an experienced, tech-savvy healthcare lawyer. If you operate in any of the states where we have licensed attorneys, schedule a free consultation to find out if we’re a good fit for your needs.