21 Jun 2011

Clarifying the Use of Electronic Signatures and Electronic Delivery for HIPAA Requirements


RE: Required Patient and Beneficiary Authorizations, Notices and Acknowledgments

My friends in the e-commerce world tell me that they continually run into representatives of HIPAA-covered organizations – usually providers – who maintain that HIPAA simply does not permit them to get electronic agreements to HIPAA authorizations or electronic acknowledgements of HIPAA privacy notices. I am happy to state emphatically that their belief is both false and ironic, which distinguishes it from many of the unintended consequences of HIPAA, that are instead true and ironic. HIPAA’s ironically titled “Administrative Simplification” provisions were intended to enable some electronic transactions between providers and health plans. However, by requiring some standard transactions that many providers had trouble implementing, a true and ironic consequence of HIPAA’s attempt to encourage electronic transactions was to force those providers into using paper for those same transactions.

Of course, between 1996, when HIPAA was enacted, and December, 2000, when the Clinton Administration issued the first final HIPAA privacy rules, something happened that changed the focus of those Administrative Simplification provisions a bit – the Internet. The issue of maintaining privacy of health information had become a prominent issue, and the complexity of the resulting privacy rules made privacy and information security the most visible components of HIPAA for much of the world.

In the draft of the HIPAA security regulations published in August of 1998, the Department of Health and Human Services (DHHS) noted the importance of electronic signatures in standardizing electronic health care transactions by stating that although “HIPAA does not require the use of electronic signatures[,] [t]his particular capability…would be necessary for a completely paperless environment.” However, in the final security regulations that were not released until February 20, 2003, the DHHS stated that the final rule only adopted security standards and did not contain any standards or recommendations relating to electronic signatures. Instead, the DHHS stated that it would publish a final rule for electronic signatures at a later date. That publication never occurred.