Can you use e-signatures under HIPAA rules?

E-signatures can be used under HIPAA rules provided that mechanisms are in place to ensure the authenticity of the signatory, compliance with legal requirements, and protection of any protected health information (PHI) within the document from unauthorized access or disclosure.

What is an e-signature?

A Decision Support System study defines an e-signature as follows: "An e-signature consists of an e-signature image and digital signature. E-signature is generally associated with a number of technologies, allows a person (or machine) to electronically mark a document, and can enable innovative document management processes."

E-signatures were first legally recognized in the United States with the passage of the Electronic Signatures in Global and National Commerce Act (ESIGN) in 2000, which confirmed their validity and legal effect. However, the concept and supporting technology existed before this legislation.

They can be created in several ways, including typing a name into a signature field, using a mouse or touchpad to draw a signature, or clicking a button to confirm agreement. More advanced methods use cryptographic techniques to ensure authenticity and integrity.

Their adoption has expanded across legal, healthcare, finance, and government sectors due to their ability to streamline processes, reduce paper use, and enhance security.

Understanding e-signatures under HIPAA

Using digital and electronic signatures in the healthcare industry improves efficiency, but questions remain about whether they align with HIPAA regulations. Originally, the HIPAA statute (§1173) instructed the Secretary of Health and Human Services (HHS) to establish standards for electronic signatures in financial and administrative transactions. However, a proposed standard for digital signatures was later removed from the 2003 HIPAA security rule due to concerns about the maturity of the technology and its ability to meet security requirements such as message integrity, non-repudiation, and user authentication.

How e-signatures are used in healthcare

Following the removal of the proposed HIPAA electronic signature standard, HHS published guidance on using e-signatures in business associate agreements, stating that electronic contracts could qualify as written documents under HIPAA rules, provided they meet state contract law requirements. Since then, e-signatures have been widely adopted in healthcare for activities such as:

• Acknowledgment of HIPAA privacy notices
• Patient consent for treatments and telehealth services
• Pre-operative consent for procedures
• Authorization for uses and disclosures of PHI
• Remote authorization by personal representatives and medical POAs
• E-prescribing under 21 CFR Part 1306 and Part 1311
• Health plan authorizations and provider billing
• HIPAA training acknowledgments

Read more: What is the purpose of a business associate agreement? 

Proposed rule changes for HIPAA e-signatures

In 2022, the Centers for Medicare & Medicaid Services (CMS) proposed a rule advocating an e-signature standard for healthcare attachment transactions to accelerate administrative processes. Healthcare attachment transactions include instances where providers must submit additional information for prior authorization, claims processing, or payment determinations. While electronic submission of attachments is not mandatory, if submitted electronically, they must be digitally signed to ensure security.

Although this proposal currently impacts a limited number of covered entities, both CMS and the Office for Civil Rights (OCR) are considering expanding e-signature requirements for verifying patient identity and authorization. Concerns have been raised about the security of patient data in healthcare applications, and a HIPAA-compliant e-signature standard could provide stronger authentication and verification measures.

Read also: What is a covered entity under HIPAA? 

Conditions necessary for e-signatures under HIPAA rules

To comply with HIPAA and other legal frameworks such as the Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA), e-signatures must meet specific conditions:

Legal compliance

E-signatures must comply with federal and state contract laws. Documents should clearly state the terms of the agreement, demonstrate the signatory's intent, and provide an option for receiving a printed or emailed copy. Organizations should seek legal guidance to ensure compliance with additional state regulations.

User authentication

Organizations must verify the identity of the signatory to prevent disputes over authorization. Methods such as two-step verification, security questions, specialized e-signature software, and phone or voice authorization can help achieve this.

Message integrity

To prevent tampering, organizations should implement security measures to ensure the integrity of electronically signed documents both in transit and at rest. These safeguards align with the HIPAA Security Rule's requirements for data protection and audit trails.

Non-repudiation

To prevent signatories from denying their signatures, e-signatures should include timestamped audit trails with details on when, where, and by whom the document was signed. Providing a copy of the signed document to the signatory also reinforces non-repudiation.

Ownership and control

Organizations must maintain control over electronically signed documents, ensuring that PHI remains protected. If using a third-party e-signature service, a business associate agreement (BAA) must be in place to ensure compliance with HIPAA rules.

The use of signatures in HIPAA compliant email

E-signatures help speed up healthcare processes, from admissions to discharge and follow-up care, reducing administrative delays. To be effective, they must be used within secure, HIPAA compliant systems, including HIPAA compliant email. When properly implemented, they eliminate the need for in-person interactions, allowing patients to manage their healthcare remotely. This is especially beneficial for those with mobility challenges or who live far from their providers.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQs

When will new HIPAA electronic signature standards take effect?

It is unclear. CMS’s proposed rule is still under review, and final implementation could take months or years depending on public feedback.

What is the difference between an e-signature and a digital signature?

An e-signature indicates agreement to a document, while a digital signature verifies the signatory’s identity and ensures document integrity through encryption.

Does the HIPAA security rule require digital signatures?

No, but covered entities may implement them as a security measure if PHI protection and legal compliance are ensured.

Does HHS recommend specific HIPAA-compliant e-signature software?

No. HIPAA is technology-neutral, but software used for signing PHI-related documents should comply with security requirements and include a BAA if a third-party vendor is involved.