What are the HIPAA Rules for e-signatures?

The possibility of signing agreements and contracts remotely has increased the speed with which administrative processes, typically a bottleneck in many sectors, can be done – however, can this be applied to healthcare, and what are the HIPAA Rules regarding e-signatures?

More and more businesses are successfully digitizing processes and dematerializing workflows. The health industry, no stranger to innovation, has taken notice. Given the volume of administrative procedures and consent documents related to health care, e-signatures could offer a streamlined system that caters for the needs of both patients and entities covered by the Health Insurance Portability an Accountability Act – more widely referred to as HIPAA.

HIPAA does not include any prohibition on organizations using e-signatures. However, the signature must be obtained in a compliant manner and a number of conditions must be met in order for this to be the case. Many of these are in relation to the security measures that should be put in place to keep the documentation secure and protect the integrity of the patient’s Protected Health Information (PHI).

E-Signatures Under HIPAA

The use of e-signatures under HIPAA was first proposed to be introduced with the 2003 Security Rule, but these provisions were later removed prior to the enactment of the legislation. The prevailing advice was to refer to the United States’ Department of Health and Human Resources website when seeking guidance on how e-signatures could be used when, for example, signing an agreement with a business associate. The information noted:

No standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable State or other law.”

As the more common and routine tasks which HIPAA covered entities undertake, such as sharing PHI in order for treatment to take place or payments to be made, do not necessarily require signed authorizations, the use of e-signatures was considered a surplus to requirements for a time. Once companies started to venture outside of these routine operations however, permission was necessary. This was in relation to areas such as using PHI for research or marketing purposes, which are not typically allowed by the HIPAA Privacy Rule.

What Makes an E-Signature Compliant With HIPAA?

Aside from HIPAA, two laws must be taken into count when covered entities wish to use e-signatures with PHI. These are the Federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) and the Uniform Electronic Transactions Act (UETA). They lay out a number of provisions which must be followed, including:

Legal Compliance: A first step, but one of primary importance, is to ensure that the contract itself is valid and binding. It should clearly demonstrate the terms, intent of the signatory, and the option should exist for the signatory to receive a printed or emailed copy of the contract. Any state laws or other relevant elements should also be addressed.

User Authentication: To ensure all entities are who they say they are and prevent the possibility of third parties signing in someone’s stead, a system to verify identity should be used.

Message Integrity: Safeguards should be put in place to prevent either side of the agreement or a third party from tampering with the document.


Other considerations that should be dealt with are Non-repudiation and Ownership and control.