HIPAA and Patient Authorization in a Digital World
Over the past few years, as digital technology has revolutionized the medical industry by digitizing medical and therapy offices, many questions have arisen about the validity of patient authorizations obtained in a digital format. Much like the patient’s right to privacy, patient consent and authorization for use of their health information has been federally mandated for over two decades. HIPAA mandates that patients must authorize their personal health information (PHI) be used in any electronic or paper-based patient management systems in order to satisfy the confidentiality requirements for PHI set forth by law. But what does this mean? This article will go through the different types of authorizations you should have on file for each patient and the legality of authorization obtained digitally in lieu of in paper format.
Types of Patient Authorization:
– Patient authorization – Traditionally this is a written, signed document from the patient that provides their consent to use and disclose PHI. It also authorizes the patient’s health care provider or billing agent (e.g., medical assistant) to obtain records created by other providers treating a patient for purposes of providing treatment related services. The Patient Authorization Form must be completed by all patients who are 16 years old or older prior to any disclosure of PHI in order for it not to violate HIPPA privacy laws.
– HIPAA Authorizations: A different type of patient authorization often seen in physician practices is an “Authorization To Disclose Protected Health Information.” These documents allow physicians and office staff to access information without needing patient signature on every release form. Many medical practices include this form in their initial patient intake form so that it is always accessible should the need arise during the course of the doctor patient relationship.
A HIPAA patient authorization form is an agreement between a patient and healthcare provider. A signed form gives your organization permission to use the patient’s health information or disclose it to another person or entity, depending on their wishes. You need a signed waiver for:
The use or disclosure of PHI for marketing, except if it takes place one-on-one between your organization and the person or if it’s a small promotional gift,
To utilize PHI for research, unless they have waived authorization for this purpose,
Use or disclose psychotherapy notes, except for TPO purposes,
Disclosure of substance use disorder and treatment records,
Use or disclose PHI for any reason not allowed by HIPAA, or sell PHI.
Are online patient authorization forms valid?
A patient authorization form must be kept on file for each patient for the length of their treatment within a practice and beyond which can lead to a large quantity of paperwork within any given office. As medical and therapy practices all over the country have begun to transition to digital patient management systems, questions have arisen about whether or not patient authorization stored digitally would suffice and hold up to legal scrutiny.
An online patient authorization form can be valid for HIPAA compliance, but it is important to note that an electronic patient authorization must include certain information in order to comply with HIPAA. Patient consent should include the following:
The name of a person or entity seeking PHI (or other sensitive health information) from the patient’s healthcare provider;
The type of PHI requested and how it will be used by the third party;
A statement that disclosure of personal data may result in adverse consequences such as discrimination, denial of insurance coverage or employment opportunities, increased premiums, identity theft, medical errors, etc.;
The patient’s acknowledgment that treatment records are confidential under law and shared only with their permission can be obtained digitally through either electronic or digital signatures.
Differences between electronic and digital signatures for patient authorization
– Electronic signature: An electronic signature is any digital representation of a physical, handwritten or typed signatory that connects the “digital” world with the paper one. An example would be signing your name using an e-device such as a tablet or computer where you use touch to type in your information and then press on it, leaving behind something akin to ink from pen on paper. Other examples could include clicking boxes after typing in other identifying info like date/time stamping or initials.
An electronic signature can be useful when you need to access personal data online without having to fax or mail sensitive documents back and forth which may create risk for both parties involved or for the purposes of this article when patient authorization may be necessary.
– Digital Signature: The digital signature is an authentication that provides another level of authenticity with a cryptographic operation binding the document and its data. It creates a unique fingerprint, which cannot be duplicated or changed; authenticates documents within PKI (public key infrastructure) requirements for safety and security. Once signed, changes are not allowed to any more signatures or annotations – locking it into one final version. If any changes are made to a patient authorization or other document after the digital signature has been applied, it would be rendered invalid and would need to be signed again.
In an age of complicated medical procedures, electronic signatures have been a revolutionary way to make the process more efficient. The federal government first recognized this with their implementation of ESIGN and UETA acts which allow for legal validation in all fifty states
ESIGN and UETA each have 4 requirements for an electronic signature to be valid:
1.There must be an intent to sign – like traditional ink signatures, it is only considered valid if each party intended
2. The parties are required to consent electronically. Electronic records may not be used in transactions with consumers unless the consumer has agreed before the documents are signed by assenting (generally with a check box format) to regulations providing them clear disclosures of their rights under ESIGN or UETA.
3. Association of signature with the record –the system used to capture the transaction must keep an associated record that reflects the process by which the signature was created, or generate a textual or graphic statement (which is added to the signed record) proving that it was executed with an electronic signature
4. Record retention – electronic signature records must be retained and accurate reproductions must be available for reference by all parties or persons entitled to retain the contract or record.
Both ESIGN and UETA must be adhered to for medical practices, but some additional regulations apply to documents like patient authorization and HIPAA authorizations in order to ensure that they still adhere to HIPAA laws:
1.The patient must consent to its use and willingly enter into an agreement with the healthcare provider.
2. The process must be completely documented and include a 2-factor authentication process like a password or photographic verification. This is so that there is no question whether or not the patient intended to enter into the contract.
3. Message integrity must be observed. The medical documents are required to be secured properly to prevent unauthorized access. The signature should be encrypted and locked to ensure no tampering or forging of signatures.
Digital patient management systems like PatientStudio have built platforms that allow for the functionality and security necessary to obtain patient authorization and HIPAA authorization in a digital and secure environment. Technology exists to maintain patient privacy, provide additional layers of security and efficiency, and comply with federal and local regulations all in one online environment.