E-sign laws: What is legal digital consent according to HIPAA?

To ensure HIPAA compliance when using electronic signatures for patient authorizations and business associate agreements, covered entities should be aware of E-sign laws to remain fully compliant? 

Understanding legal digital consent

Legal digital consent refers to the formal and legally binding agreement or authorization provided by an individual or entity through electronic means, typically in the form of an electronic signature or similar electronic process. This digital consent is often demonstrated through an electronic signature, which could be a typed name, a drawn signature, or any other unique identifier attached to the electronic document. The electronic signature serves as evidence of the individual's intent to consent to the agreement.

See also: Can therapists use text messaging for client intake?

When can E-sign be used?

Digital consent, including electronic signatures (e-sign), can be employed in various settings, such as for research purposes, particularly when adhering to the guidelines established by the U.S. Department of Health and Human Services (HHS) and the U.S. Food and Drug Administration (FDA). This method is particularly suitable when subjects can be reliably identified through secure electronic means and when the e-signature process adheres to the Electronic Signatures in Global and National Commerce Act (ESIGN Act). 

ESIGN Act & UETA

The ESIGN Act, enacted on June 30, 2000, establishes a framework for the validity of electronic records and signatures in transactions involving interstate or foreign commerce. The Act allows the use of electronic records to fulfill statutory, regulatory, or legal requirements for written information, provided the consumer has given affirmative consent and has not withdrawn that consent. 

The Uniform Electronic Transactions Act (UETA) is a model law that was created to establish a legal framework for the use of electronic signatures and electronic records in commerce and transactions. The purpose of the UETA is to facilitate electronic communications and transactions while ensuring the legal validity and enforceability of electronic signatures and records. 

Both these laws require: 

1. Intent to sign: Similar to traditional signatures, electronic signatures are valid only if each party intended to sign the document.
2. Consent to do business electronically: All parties involved in the transaction must consent to conducting business electronically. For consumers, this includes:

• Receiving UETA Consumer Consent Disclosures.
• Affirmatively agreeing to use electronic records for the transaction.
• Not withdrawing such consent.

1. Association with the record: The electronic signature must be associated with the electronic record in a way that reflects the signature's creation process. This can be achieved by generating a textual or graphic statement that is added to the signed record, proving that the record was executed with an electronic signature.
2. Record retention: Electronic signature records must be capable of retention and accurate reproduction for reference by all parties entitled to retain the contract or record. This ensures that the electronic transaction can be stored and accessed.

HIPAA requirements for digital consent

The HHS highlighted the vague nature of HIPAA's provision for electronic signatures: "However, currently, no standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law." 

1. Compliance with legal requirements: The document being signed electronically must adhere to federal laws beyond HIPAA, such as the ESIGN Act, and clearly outline the agreement between the parties. The signatory must receive a copy of the signed agreement either in printed or digital form (such as via HIPAA compliant email).
2. Authorization of users: The identity of individuals signing the agreement must be validated to prevent unauthorized signatories. Two-step authentication, identifying questions, and voice verification by phone can help ensure user authorization.
3. Integrity of e-signatures: Covered entities must establish safeguards to prevent digital tampering and ensure the integrity of electronic signatures. Similar to how the HIPAA Security Rule protects Protected Health Information (PHI), measures should be in place to secure e-signatures.
4. Maintain documents relating to ensign transactions: An accurate audit trail for e-signatures, including time stamping, is necessary to prevent any party from denying their signature. This audit trail makes the e-signature legally enforceable and prevents arguments about authorization later on. The audit trail should include dates, times, locations, and the chain of custody.
5. Control and ownership of documents: The covered entity must retain control and ownership of the evidence for e-signatures. The only other entity that should have copies of the signed agreement is the signatory (business associate). E-signature service providers should ensure that signed documents are securely stored and that any copies on their servers are digitally wiped.

See also: When is a subject line PHI?