Here are answers to questions we have received from readers. When we're not sure, we ask the experts at the U.S. Office for Civil Rights (OCR). Answers coming from OCR officials are indicated as such.
What are CMS standards/requirements for compliant electronic signatures? Answer below is from U.S. Office for Civil Rights:
HIPAA doesn’t mandate a standard for e-signatures and CMS has not defined a HIPAA standard for e-signatures. However, the CMS Program Integrity office has policy requirements regarding signatures for provider enrollment and for medical review of Medicare fee-for-service claims. It can be found at PIM Chapter 3 section 126.96.36.199 at https://www.cms.gov/
The National Institute of Standards & Technology (NIST) is also a resource for entities looking for industry best practices and especially with respect to IT security and privacy standards. NIST develops the standards that apply to federal agencies and NIST standards are considered the “gold standard”; they are typically used as a yardstick for private industry as well the federal agencies they are designed for. So, when CMS implements applications that use e-signature capabilities, as a federal agency we must follow NIST guidance.
In 2013, NIST published The Federal Information Processing Standards Publication 186-4 (FIPS 186-4), Digital Signature Standard, which identifies the three techniques for generating digital signatures approved by NIST:
1. The Digital Signature Algorithm (DSA)
2. The RSA digital signature algorithm.
3. The Elliptic Curve Digital Signature Algorithm (ECDSA).
These algorithms allow an entity to authenticate the (1) integrity of signed data and (2) the identity of the signatory; and the person signing “owns” a “pair of keys” (one public and one private) that authenticates their signature. A digital signature algorithm includes a signature generation process and a signature verification process. The signature is generated by the signer using a public key; and the authenticity of the signature is verified using the private key (that must be kept confidential).
Finally, Adobe electronic signature is part of the Federal Electronic Signature in Global and National Commerce Act that was passed in 2000, https://www.gpo.gov/fdsys/pkg/
How do organizations serving the ID population meet the HIPAA requirement for meaningful consent for the release of patient information? Answer below is from U.S. Office for Civil Rights:
According to the Developmental Disabilities Assistance and Bill of Rights Act of 1999, the United States Congress has found that “Disability is a natural part of the human experience that does not diminish the right of individuals with developmental disabilities to enjoy the opportunity to live independently, enjoy self-determination, make choices, contribute to society, and experience full integration and inclusion in the economic, political, social, cultural, and educational mainstream of American society.”
With limited exceptions, the HIPAA Privacy Rule requires an individual’s written authorization before his or her protected health information can be used or disclosed. A covered entity must obtain the individual's authorization, unless the disclosure is otherwise permitted by another provision of the Privacy Rule or in circumstances where the individual has a legal personal representative, which is a matter of state law (in such circumstances, authorization required by the Rule will be sought from the legal personal representative).
The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.
An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
When patients are asked to make consent decisions, the Department encourages providers, HIEs, and other health IT implementers to help patients make the consent decision meaningful. HHS has issued in-depth guidance on this topic: https://www.healthit.gov/
How much can doctors charge for providing copies of health records to patients?
Here is a link to federal goverment information of how doctors may calculate fees for copies of patient records:
What are the guidelines for emailing with patients?
Page 5634 of the Privacy Rule states that: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”
The important thing is the patients/guardians are advised of risks, and that they consent based on personal preference.
Also, be aware of this provision on Page 5634 of the Privacy Rule:
“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
This is language you might want to just lift and include in a consent form.
The third document I've attached --titled Patient Rights to Protected Health Information -- addresses the rules noted above. This document is only 2 pages, and can also give you some language for a consent form.
On Page 74 of the Security Policy Template on our website, be aware of this:
Depending on content, e-mail messages between clinicians and between
patients and clinicians and documents transmitted by e-mail may be
considered records and are subject to this policy. If an e-mail message would
be considered a record based on its content, the retention period for that email
message would be the same for similar content in any other format.
The originator/sender of the e-mail message (or the recipient of a message if
the sender is outside Organization) is the person responsible for retaining the
message if that message is considered a record. Users must save e-mail
messages in a manner consistent with departmental procedures for retaining
other information of similar content. Users should be aware of Messaging
Policies that establish disposal schedules for e-mail and manage their e-mail
Note: MyHIPAA Guide subscribers may request sample forms for email consent.