- HIPAA Update - http://blogs.hcpro.com/hipaa -

HIPAA Q&A: HIPAA and electronic signatures

Q: Are digital signatures permissible on custodian affidavit/declaration forms? Signing electronically instead of printing, signing, and scanning would streamline our process. We've never seen electronic signatures on these forms. Are they admissible in court? Some jurisdictions require original signatures, but we're uncertain what California requires. Are the ­federal e-Sign Act or California's e-Sign law applicable? Our ­organization has locations in 18 states.

A: Digital signatures on custodian affidavit/declaration forms generally are permissible. They meet the more stringent digital signature requirement eliminated when the HIPAA Security Rule was finalized in 2003. Consult legal counsel to determine whether your state allows use of digital signatures on these forms. Some state laws require that certain documents are signed physically, but this is not a HIPAA requirement.
 
Electronic and digital signatures differ significantly-legally and technically. Federal law and many state laws allow electronic signatures on some documents. Electronic signatures can be a picture of a signature, an agreed-upon string of characters, a symbol, a signature typed into a signature block in an ­electronic form, and other personal non-encrypted, agreed-upon identifiers.
 
A digital signature is an encrypted "hash" or tag that is registered to an individual and ­accompanies transmission of electronic data or forms signed via computer. They are much more reliable than electronic signatures because they allow recipients to validate senders and prevent repudiation at a later date.
 
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May Briefings on HIPAA [1]. Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.