• E-mail
• Print
• RSS

Do "e-signatures" conflict with HIPAA's focus on privacy and security?

HIPAA Weekly Advisor, October 4, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: We have recently heard from several insurance companies that we should now accept "e-signatures" from them when they request a patient's medical record, for example, for life insurance applications. They are referring to a typed signature, rather than a handwritten signature, which we have always compared to the signature we have in the patient's file. We are told this new practice does not conflict with HIPAA, but how do we explain our increased attention to privacy and security while simultaneously accepting a weaker standard for this type of release?

A: That's a very valid question. An "electronic signature" has no specific meaning and no formal standard. The term is sometimes used to make a process sound more secure than it actually is. In fact, in the proposed security and electronic signature rule, HHS said that if an electronic signature were required by HIPAA (although it is not, at this time), it would have to be a more clearly defined and powerful "digital signature."

You are right to be concerned about accepting a typed name. You should require a form of authentication at least as meaningful as a photocopy of the signed form that you received in the past. Under HIPAA, the burden falls on your organization to ensure proper authorization prior to release, so you may need to review your process and take on the responsibility of obtaining a signed HIPAA-compliant authorization form from the patient before releasing the record.

Answered by Kate Borten, CISSP, president of The Marblehead Group, Inc., in Marblehead, MA, and excerpted from the October 2002 issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive