Question: Our small practice still sees a majority of our Medicare beneficiaries via telehealth. When we have them sign paperwork digitally, is there anything we need to do to ensure the paperwork is HIPAA-compliant? Nevada Subscriber Answer: Electronic signatures are actually not discussed in any of the HIPAA rules. In fact, the Department of Health and Human Services (HHS) guidance defers to the states on this matter. “Currently, no standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable state or other law,” says HHS.
According to HIPAA, the most important thing for covered entities (CEs) to remember is that security measures are in place and the use of e-signatures is “reasonable and appropriate.” Tip: There are a few things that your organization can do to ensure that your patients’ e-signatures are more secure. Even though it’s not a requirement under the HIPAA Security Rule, you may want to use software and form generators that employ encryption to protect your documents and e-signatures. Additionally, if a risk assessment determines that encryption is a “reasonable and appropriate safeguard” for your organization, you should probably follow through and implement it to avoid a violation down the line. Password protection and multifactor authentication (MFA) can also help to secure electronic protected health information (ePHI). Platforms like DocuSign and PandaDoc offer a variety of templates, storage options, and legal resources to help providers with patients’ e-signatures.