In healthcare, traditional paper-based functions are fading—a trajectory most obviously characterized by a massive increase in EHR adoption. This colossal digitization of the healthcare system is now driving a desire to turn all processes fully digital, including the last mile, e-signatures.
The rise of digital practices like e-signatures brings heightened attention to compliance needs, such as HIPAA compliance, medical records compliance and 21 CFR Part 11 compliance, among others.
But the impact of e-signatures on HIPAA compliance, specifically, is only recently becoming apparent. While there are no e-signature guidelines under HIPAA, healthcare organizations evaluating and selecting e-signature technology now see clear concerns with many e-signature solutions.
To promote compliance, here’s what to look for:
Independent e-signatures. Independent e-signatures allow Covered Entities under HIPAA to have complete control over PHI-laden documents. E-signatures that permanently embed the legal evidence into a signed document are truly “independent” because they don’t require copies of the PHI to remain permanently in the cloud of the e-signature vendor. A healthcare provider can be the only entity that keeps signed documents with any other copies digitally shredded from the vendor’s cloud once the signing process is complete.
In contrast, “dependent” e-signature vendors store the original e-signature, documents, data and other legal evidence in their cloud—permanently. The profound reason for adopting independent e-signatures is to eliminate the e-signature vendor from the risk of future breaches of PHI, which carries criminal and civil penalties for Covered Entities.
Document, signature and legal evidence integrity. Documents with PHI must be tamper evident, so it is essential for e-signatures to use digital hashing and encryption to retain long-term integrity. These elements make it extremely difficult for a document to be altered post-e-signature without detection.
Detailed audit trails. The proof of validity of each and every signature must be available—and undeniable. Records of each event in executing documents with PHI, from the first signature to the last, are made transparent with comprehensive audit trails and cryptographic e-signature standards (such as those under the 21 CFR Part 11), thereby ensuring defense of HIPAA compliance long term.
Access authorization. Identity authentication technology thwarts unauthorized individuals from accessing, viewing or compromising healthcare documents and data, including PHI. Although not specified in HIPAA, two-factor authentication and other high-level authentication methods can be used to ensure that the right person is viewing and signing the right documents and is doing so only according to their privileges. Again, Covered Entities under HIPAA are taking a page from the standards of 21 CFR Part 11 and requiring multi-factor authentication.
[bctt tweet=”How E-Signatures Can Support HIPAA Compliance @SCCE” via=”no”]