HIPAA-Compliant eSignatures: What to watch out for

Health Insurance Portability and Accountability Act (HIPPA) compliance is crucial in the healthcare sector, where patient privacy and security has been protected by law for over 20 years. Yet as the sector moves towards the digitization of patient records, additional measures must be considered to ensure continued HIPPA compliance. For example, eSignatures are sought after thanks to convenience and efficiency they bring. However, many health insurance providers are concerned whether they are HIPAA compliant. Fortunately, HIPAA-compliant eSignatures have become the industry norm, and there are several characteristics of HIPAA-compliance to look out for when considering an eSignature solution.

What is HIPAA, and why does compliance with it matter?

Enacted in 1996, HIPAA was designed to set protocols for protecting the personally identifiable information (PII) of patients. This information, more specifically known as protected health information (PHI), must be safeguarded across the administrative, physical, and network spheres. Administrative requirements are meant to protect the accuracy of patient data and determine its level of accessibility to various parties. Usually, an executive is responsible for overseeing data security, including employee access to patient information, training of employees, mandating HIPAA compliance in external vendors, regular security assessments, and a data breach damage mitigation plan. This type of HIPAA compliance is critical because it ensures HIPAA compliance is understood and enforced throughout the entire organization. Physical security requirements regulate physical theft, damage and loss of devices that store patient data. Staying compliant with physical security requirements can be achieved by keeping computers physically separate from the public, such as behind desks, requiring building guests to register and monitoring the goings-on in the building, and restricting access to areas where personal information can be found. It also involves disposing of unneeded hardware or software properly, such as wiping the hard drive. Technical security requirements involve protecting the healthcare company’s network and computer systems from data breaches. Encrypting client files sent through email, putting up firewalls and intrusion detection systems, avoiding phishing scams, backing up data, authenticating data transfers to third parties, and requiring employees to regularly change their passwords are all key components of staying HIPAA compliant when it comes to technical security requirements.

Characteristics of HIPAA-compliant eSignatures

When choosing a HIPAA-compliant eSignature, healthcare companies need to make sure that the vendor they ultimately partner with complies with the above requirements. There are two areas in which healthcare providers use eSignatures in ways that have implications for HIPAA: business associate agreements and patient authorizations. In both cases, the eSignature solution inevitably comes into contact with PHI. eSignatures are not explicitly mentioned in HIPAA, but they are considered acceptable as long as they are compliant with the Federal Electronic Signatures in Global and National Commerce (ESIGN) Act and the Uniform Electronic Transactions Act (UETA). These are the characteristics of a eSignature solution that complies with the ESIGN Act and UETA:

1. Legal compliance: The authorization form or contract should clearly state the terms of the agreement, demonstrate the intention of signer, and provide an option for the signer to receive a copy of the contract either by email or a physical copy. In addition to following federal laws for eSignatures, healthcare providers should also consult any local legislation that may influence the legality of the eSignature.
2. User authentication: Healthcare providers need to validate the identity of all parties in the agreement to prevent disputes about whether the signer is who he or she claims to be, and willingly signed the agreement. Two-step verification, secret questions, and voice or ID verification are reliable ways of authenticating users.
3. Message integrity: After the document has been signed, it’s critical that there are mechanisms in place that prevent digital tampering from occurring. The closest parallels to this in HIPAA are the security requirements for electronic communications. Message integrity must be demonstrated during HIPAA compliance audits.
4. Non-repudiation: It’s critical that the signer of the document not have the ability to deny having signed the agreement, as this can lead to a messy legal dilemma. To avoid such scenarios, HIPAA-compliant eSignatures must have an audit trail complete with a timestamp showing time, location, date, and chain of custody. This guarantees that the contract is legally binding and the authorization of PHI cannot be later disputed. Sending the signatory a printed or emailed version of the contract can also help prevent repudiation.
5. Ownership and control: To protect PHI, there should be one authoritative version of the eSigned document. All other digital copies of the document should be destroyed and removed from the server.

The bottom line

eSignatures have the potential to help healthcare companies undergo a digital transformation, and improve the customer experience through more efficient transactions. When selecting an eSignature solution for the health care industry, or any industry that handles a persons medical records, it’s critical that it meets HIPAA compliance requirements outlined above. This will prevent legal liability that can come with partnering with risky providers. Lightico's eSignature solution is fully HIPAA compliant, and actually reduces the likelihood of fraud thanks to added levels of digital security.