Digital Signatures in Healthcare: Are They Truly Compliant?
Learn the ins and outs signing electronic health records and other documents so that they comply with HIPAA and hold up in court.
If your practice keeps electronic health records (EHRs) or electronic medical records (EMRs), then you may have “signed” notes or other documents by merely logging in, clicking a button, or typing your name. It’s often so easy, in fact, that it doesn’t feel like it carries the same weight as a handwritten signature. Thus, you may wonder: does the law recognize this digital signature as valid? Is it HIPAA compliant? What about the requirements for obtaining patient or vendor signatures electronically?
First, let’s start with some definitions. An electronic signature is any signature that is created or captured through a computer or other electronic device. Electronic signatures (also called e-signatures) can include touch-sensitive screens where you use your finger or a stylus to sign your name as you would on a paper document. Electronic signatures can also include forms where you merely type in your name and perhaps other identifying information, then check a box stating that you intend to sign the document.
Digital signatures introduce another level of authenticity by using a cryptographic operation to bind the signature and the data being signed. It creates a unique fingerprint that cannot be duplicated and authenticates the document with a digital code. This is done through the Public Key Infrastructure (PKI), which is a set of requirements that allow (among other things) the digital signatures to be unique and secure.
Once a document is digitally signed, it is locked in. Locking a document means no additional signatures, annotations, or form fill-ins will be allowed. If the document is changed at any time after signing, the signature is considered invalid.
Note that some EHR programs do not ask you to physically sign the chart upon viewing. The EHR program knows you were the one who logged in and so the EHR will record that you have entered into the note.
The Laws of Digital Signing
The federal government has developed laws to regulate how electronic signing works in healthcare. The federal government first recognized the validity of electronic signatures with the United States Electronic Signatures in Global and National Commerce (ESIGN) Act. Then came the Uniform Electronic Transactions Act (UETA) which is meant to blend state laws regarding the validity of electronic signatures. Most states have adopted UETA, while a handful of states (such as Illinois) have enacted their own electronic signing laws.
ESIGN and UETA both have 4 requirements for an electronic signature to be valid:
- There must be an intent to sign – like traditional ink signatures, it is valid only if each party intended to sign the document.
- The parties must consent to do business electronically. Electronic records may be used in transactions with consumers only when the consumer has:
- Received UETA Consumer Consent Disclosures
- Affirmatively agreed to use electronic records for the transaction
- Has not withdrawn such consent
- Association of signature with the record –the system used to capture the transaction must keep an associated record that reflects the process by which the signature was created, or generate a textual or graphic statement (which is added to the signed record) proving that it was executed with an electronic signature
- Record retention – electronic signature records must be retained and accurate reproductions must be available for reference by all parties or persons entitled to retain the contract or record
Keep in mind that HIPAA still applies regarding ESIGN. For a patient’s privacy to be protected under HIPAA, there are three crucial requirements:
- The patient must consent to its use and willingly enter into an agreement with the healthcare provider.
- The process must be completely documented and include a 2-factor technique for identity authentication (such as a photograph or password of some kind). This is to avoid debates as to whether the patient had a right to enter into the contract.
- Message integrity must be observed. The medical documents are required to be secured properly to prevent unauthorized access. The signature should be encrypted and locked to ensure no tampering or forging of signatures.
Digital signatures are key to adding extra security when dealing with PHI and are incredibly beneficial. Digital signatures create a digital fingerprint through encryption technology, which is not available in inked signatures. The PKI is a high standard that will effectively secure your data, and digital signatures have global acceptance. Digital signatures also allow for long-term retention and access, as well as independent verification.
How Do I Obtain Digital Signatures From Patients or Vendors?
In addition to the capabilities built into most EHR and EMR systems for signing clinical notes, there are many e-signing solutions available for documents such as agreements or consent forms. Not all services are HIPAA compliant, however. Before adopting any service, verify compliance with HIPAA rules. Of course, any substantial changes to the way you manage patient documents should trigger a risk assessment.
Whatever service you use, you must first ensure that signers are authenticated. You’ll need to offer the necessary disclosures and obtain consent from signers that they understand what they are signing and that they are providing a legally binding signature. The signer must know the signature is legally binding and the document must be secure from tampering. All signers should have access to the document when it is being signed, and all actions taken should be documented so that if you are ever taken to court, you have everything easily available.
In summary, electronic and digital signatures are valid and compliant if you adhere to the requirements set forth in the laws discussed above. To ensure that you meet this high bar, we recommend that you consult an experienced, tech-savvy healthcare attorney.