FAQ

Here are answers to questions we have received from readers.  When we’re not sure, we ask the experts at the U.S. Office for Civil Rights (OCR).  Answers coming from OCR officials are indicated as such.

What are CMS standards/requirements for compliant electronic signatures?  Answer below is from U.S. Office for Civil Rights:

HIPAA doesn’t mandate a standard for e-signatures and CMS has not defined a HIPAA standard for e-signatures. However, the CMS Program Integrity office has policy requirements regarding signatures for provider enrollment and for medical review of Medicare fee-for-service claims.  It can be found at PIM Chapter 3 section 3.3.2.4 at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/pim83c03.pdf.  In addition, The CMS electronic signature requirements are specific to the signing of the 855 enrollment form. CMS offers a “how to guide” which explains who is allowed to e-sign an enrollment application, available here: https://www.cms.gov/Medicare/.../E-SignatureHowToGuide.pdf

The National Institute of Standards & Technology (NIST) is also a resource for entities looking for industry best practices and especially with respect to IT security and privacy standards. NIST develops the standards that apply to federal agencies and NIST standards are considered the “gold standard”; they are typically used as a yardstick for private industry as well the federal agencies they are designed for. So, when CMS implements applications that use e-signature capabilities, as a federal agency we must follow NIST guidance.

In 2013, NIST published The Federal Information Processing Standards Publication 186-4 (FIPS 186-4), Digital Signature Standard, which identifies the three techniques for generating digital signatures approved by NIST:

1.       The Digital Signature Algorithm (DSA)

2.       The RSA digital signature algorithm.

3.       The Elliptic Curve Digital Signature Algorithm (ECDSA).

These algorithms allow an entity to authenticate the (1) integrity of signed data and (2) the identity of the signatory; and the person signing “owns” a “pair of keys” (one public and one private) that authenticates  their signature. A digital signature algorithm includes a signature generation process and a signature verification process. The signature is generated by the signer using a public key; and the authenticity of the signature is verified using the private key (that must be kept confidential). 

Finally, Adobe electronic signature is part of the Federal Electronic Signature in Global and National Commerce Act that was passed in 2000, https://www.gpo.gov/fdsys/pkg/PLAW-106publ229/pdf/PLAW-106publ229.pdf.  It is widely accepted nationally, and is mirrored by a similar international law.  There are 47 states that have adopted laws for e-signatures, so you may wish to investigate where a provider is located to see whether there is a state law that applies.

How do organizations serving the ID population meet the HIPAA requirement for meaningful consent for the release of patient information? Answer below is from U.S. Office for Civil Rights:

According to the Developmental Disabilities Assistance and Bill of Rights Act of 1999, the United States Congress has found that “Disability is a natural part of the human experience that does not diminish the right of individuals with developmental disabilities to enjoy the opportunity to live independently, enjoy self-determination, make choices, contribute to society, and experience full integration and inclusion in the economic, political, social, cultural, and educational mainstream of American society.” 

With limited exceptions, the HIPAA Privacy Rule requires an individual’s written authorization before his or her protected health information can be used or disclosed.  A covered entity must obtain the individual’s authorization, unless the disclosure is otherwise permitted by another provision of the Privacy Rule or in circumstances where the individual has a legal personal representative, which is a matter of state law (in such circumstances, authorization required by the Rule will be sought from the legal personal representative).

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.  By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

When patients are asked to make consent decisions, the Department encourages providers, HIEs, and other health IT implementers to help patients make the consent decision meaningful.  HHS has issued in-depth guidance on this topic: https://www.healthit.gov/sites/default/files/choicemodelfinal032610.pdf.  Additional resources on educating patients about their consent options, who may release their information and how, and the significance of the consent choice may be found at:  https://www.healthit.gov/providers-professionals/patient-education-and-engagement.  Finally, you may find the Office of the National Coordinator for Health Information Technology’s Consent Toolkit at https://www.healthit.gov/providers-professionals/econsent-toolkit which includes practical implementation tips for Meaningful Consent and the eConsent Trial Project, an open-source, web-based application, called Story Engine, to develop and present its interactive, electronic patient education material.

How much can doctors charge for providing copies of health records to patients?

Here is a link to federal goverment information of how doctors may calculate fees for copies of patient records:
http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee

What are the guidelines for emailing with patients?

In a federal-government published paper titled Electronic Communications Fact Sheet (available on MyHIPAA Guide; search by report title): Page 2 addresses email communications, and includes links with additional information.

Also:  In ts Guide to Privacy and Security of Electronic Health Information, the U.S. Department of Health and Human Services says you must accommodate reasonable requests by patients to receive communications from you by the means or at the locations they specify.  For those who prefer email communications, you may send unencrypted emails.  (Report is available to subscribers on MyHIPAA Guide; seach by report title, and see Page 24)


Page 5634
of the Privacy Rule states that: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”

The important thing is the patients/guardians are advised of risks, and that they consent based on personal preference.

Also, be aware of this provision on Page 5634 of the Privacy Rule:

“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”

This is language you might want to just lift and include in a consent form. 

The third document I’ve attached –titled Patient Rights to Protected Health Information — addresses the rules noted above.  This document is only 2 pages, and can also give you some language for a consent form.

On Page 74 of the Security Policy Template on our website, be aware of this:

Depending on content, e-mail messages between clinicians and between
patients and clinicians and documents transmitted by e-mail may be
considered records and are subject to this policy. If an e-mail message would
be considered a record based on its content, the retention period for that email
message would be the same for similar content in any other format.
The originator/sender of the e-mail message (or the recipient of a message if
the sender is outside Organization) is the person responsible for retaining the
message if that message is considered a record. Users must save e-mail
messages in a manner consistent with departmental procedures for retaining
other information of similar content. Users should be aware of Messaging
Policies that establish disposal schedules for e-mail and manage their e-mail
accordingly.

Note: MyHIPAA Guide subscribers may request sample forms for email consent.

 

 

 

 

Upcoming Webinars

[add_eventon_list hide_month_headers="no" hide_empty_months="yes" event_order="ASC" number_of_months="3" ]

New Social Media Course

MyHIPAA Guide is offering a new social media course that will help you protect your organization from potential privacy violations that result from social media

Read More »

Upcoming Events

10 Steps to Compliance