Many businesses opt to sign documents virtually (eSigning) for the sake of business convenience. Healthcare organizations may choose to do so when signing business associate agreements with their vendors, when having patients sign a notice of privacy practices for telehealth patients, or to get a head start on paperwork for patients being seen in the office. However, before you can do so, you must ensure that the eSignature software tool you are using is HIPAA compliant. That begs the question, are esignatures HIPAA compliant?
Are eSignatures HIPAA Compliant: Business Associate Agreements
A key factor in determining whether or not a software platform is HIPAA compliant is the willingness to sign a business associate agreement (BAA). Platforms that are not willing to sign a BAA cannot be used in conjunction with protected health information (PHI).
A BAA is a legal document that requires both singing parties to have safeguards in place to secure PHI. It also requires each party to manage their own HIPAA compliance.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
Are eSignatures HIPAA Compliant: Other Considerations
Although eSignatures are not discussed in the HIPAA regulations, there are federal regulations that provide guidelines for HIPAA compliant electronic signature use, the Federal Electronic Signatures in Global and National Commerce (ESIGN) Act and the Uniform Electronic Transactions Act (UETA).
- Legal Compliance. The Department of Health and Human Services states on their website, “No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.” The laws for esignatures differ depending on the State that the covered entity (CE) is treating patients in. Before a CE chooses to use esignatures they should look to their States’ regulation. Additionally, documents must be available for patients to receive copies via email or printed copy upon request.
- User Authentication. Requires covered entities to validate users are who they appear to be before documentation is sent. This can be accomplished through multi-factor authorization (MFA). MFA requires users to enter a combination of credentials to access a system such as username and password, security questions, and one-time PIN sent to the patient’s cell phone.
- Message Integrity. Requires document integrity to be maintained. Covered entities must ensure that documents cannot be tampered with by installing security measures such as encryption.
- Non-Repudiation. To ensure that patients cannot dispute that they signed a document, documents must be time stamped with dates, times, chain of custody, and location.
- Ownership and Control. Requires covered entities to digitally store documents with esignatures. DIgitally storing documentation ensures the integrity of the document by storing all supporting proof of the documents ownership and chain of custody in the same location.
Is DocuSign HIPAA Compliant?
Yes, DocuSign is a HIPAA compliant esignature platform. DocuSign HIPAA compliance is enabled by having all of the required HIPAA safeguards and the willingness to sign a BAA.
For more information on DocuSign HIPAA compliance please click here.