E-signatures: Take Them Or Leave Them?
Know Your Facility’s Release of Information Policy
In today’s technology-driven healthcare environment, e-signatures are common, yet they also raise many questions in the world of release of information (ROI). How can ROI specialists verify a patient’s identity when patients sign electronically through a portal, for example? What about when patients sign on an electronic pad/device? Signatures oftentimes look nothing like what appears on an identification card. Another question arises when a third party (e.g., an attorney, insurance company, or other type of requestor) attempts to use an authorization that a patient signs electronically. How do you know whether this authorization is even valid or whether it was the patient’s intent to release his or her information for this specific purpose? What’s the best way to handle these and other scenarios?
Electronic Signatures And HIPAA
According to HIPAA, a covered entity must obtain an individual’s written authorization for any use or disclosure of protected health information (PHI) that is not for treatment, payment, or health care operations. HIPAA does not require a “pen and ink” type of signature as an authorization. However, covered entities must identify a process for verifying the identity of the individual signing the authorization.
Unfortunately, establishing such a process for e-signatures is easier said than done. When patients present in-person for a copy of their records, it’s relatively easy to verify their signature and identity using their license. However, e-signatures make this verification nearly impossible in some instances.
Release Of Information Specialists Need To Be Mindful
The bottom line is that ROI specialists must do their part to protect PHI at all times. This includes establishing practical and effective ways to verify e-signatures. For example, if a provider receives an e-signature, do ROI specialists verify that signature by looking at older requests in the system? If the system doesn’t include any older requests, does the specialist call the patient directly? How is this information tracked and logged? Some facilities simply don’t accept e-signatures at all.
As patient portals become more widely adopted, the demand for requests via e-signature will increase exponentially. Providers must have a strategy in place to address these challenges. It’s only going to get more complicated.
Does your facility accept e-signatures? If so, how do you process and validate these signatures? What works well, and what doesn’t work well? What are your biggest concerns at this point?