Today, more healthcare providers than ever are offering comprehensive telehealth services. The change began during the initial phases of the COVID-19 pandemic when up to 95% of healthcare providers were offering telehealth options, but all evidence points to the service being here to stay.

One problem associated with telehealth is that, since patients only visit their doctors remotely, they cannot sign informed consent documents and other vital paperwork in person. The good news is that electronic signatures, or e-signatures, offer an effective alternative.

They’re easy to use, secure, and HIPAA-compliant as long as healthcare providers put mechanisms in place to ensure the integrity of their patient’s protected health information (PHI).

What HIPAA Says About E-Signatures

The first draft of the Security Rule proposed in 2003 made explicit mention of e-signatures, but the relevant information was removed before the legislation went public. Therefore, using an e-signature is still considered acceptable under the U.S.

Department of Health and Human Resources’ interpretation of HIPAA.

According to the DHHS, the fact that no specific standards exist under HIPAA for e-signatures doesn’t mean they can’t be used. It simply means that covered entities must ensure that any e-signature collected results in a legally binding contract.

Meeting Necessary Conditions

There are two pieces of legislation that apply to using e-signatures under HIPAA rules:

The Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act)

The Uniform Electronic Transactions Act (UETA) – Meeting the conditions set forward in the UETA and the ESIGN Act will ensure that all e-signatures collected by healthcare providers and other covered entities form legally binding contracts.

To comply with HIPAA’s Security Rule, e-signatures must meet the following conditions.

Legally Binding – The document being signed must comply with all federal and state rules for e-signatures. It should clearly demonstrate the terms and the intent of the signatory and offer an option for the patient to receive an emailed or printed copy of the contract being signed.

There may also be state or local laws that might impact e-signature compliance, and it is the responsibility of the covered entity to seek legal advice about those laws.

User Authentication – The identity of each party participating in the transaction must be validated to ensure that anyone who enters into the agreement has the authority to do so.

Examples of how this might apply to a healthcare provider could include asking patients to answer secret knowledge questions, engaging in two-step verification, or implementing specialized e-signature software. The latter option is by far the easiest way to authenticate users.

Message Integrity – Healthcare providers must also have a system in place for preventing digital tampering. The e-signature must be secure not just in transit but also once the data contained in the document is at rest.

Audit Trails – A time-stamped audit trail that indicates the date, time, and location of the e-signing and the chain of custody of the document can provide a safeguard against signatory repudiation.

It ensures that the contract will be legally enforceable and no one will be able to contest the authorization of PHI disclosure.

Ownership and Control – Covered entities must maintain ownership and control of documents containing e-signatures and the evidence that supports their validity. Any other copies, with the exception of those provided to signatories, should be destroyed.

Get Help – If all of this sounds complicated, that’s because it is. Healthcare providers that want to offer telehealth services can avoid the hassles associated with ensuring HIPAA compliance by using a reputable e-signature API.