In today's world, people routinely form valid contractual relationships electronically, and various federal and state statutes, including the federal Electronic Signatures in Global and National Commerce Act ("E-SIGN") and the various state versions of the Uniform Electronic Transactions Act ("UETA"), facilitate these transactions. However, these relationships may also create situations in which healthcare providers are asked to provide access to or copies of protected health information ("PHI") to one of those contracting parties.
At the outset, it is important to recognize that HIPAA does not require a "wet" or "pen and ink" signature or an authorization; however, obtaining a signature does not abrogate the duty of the covered entity to verify the identity of the person signing the authorization. 45 C.F.R. Section 164.514(h). The absence of a "real" signature against which the release of information clerk can make a lay comparison (thereby performing a critical part of verification) will doubtless create other operational issues.
A larger problem is presented, however, when a third party attempts to use an authorization that was signed electronically by the patient to obtain a patient's PHI. An example of this is an authorization, which is provided in connection with an online application for life insurance, that is used by the insurer to underwrite the application. Here is the dilemma: for all their salutary benefits in assisting e-commerce, neither E-SIGN nor the various UETA variants requires a stranger to the transaction (in this case, the health care provider) to accept the validity of an electronic signature. E-SIGN, for instance, provides no explicit statement (and neither does HIPAA, for that matter) that authorization to release PHI constitutes a "commercial contract" within the meaning of the statute. But the statute does explicitly state that third parties are not bound by the decision of the contracting parties to use electronic signatures. 15 U.S.C. Section 7001(b)(2). Likewise, various iterations of UETA provide that it "shall only apply to transactions between parties each of which has agreed to conduct transactions by electronic means." O.C.G.A. §10-12-5(b). See also N.C.G.S. §66-315(b) and Fla. Stat. §668.50(5)(b). The UETA also defines an "electronic signature" in a most unhelpful way, limiting the efficacy of the signature to its use "by a person with the intent to sign" the document in question. See, e.g., O.C.G.A. §10-2-2(8). There is no practical way for a stranger to a transaction to know what the "signer's" intent is or was; therefore, there is no way for the health care provider in our example to impute authenticity or effectiveness of the electronic signature in a way that helps establish the validity of the authorization. And, in at least one state, an electronic signature standing alone is no proof of the identity of the person signing a document. See, e.g. The Prudential Ins. Co. v. Dukoff, 674 F. Supp. 2d 401 (E.D. N.Y. 2009), interpreting the New York version of the UETA.
Thus, notwithstanding E-SIGN and the UETA, providers are free to determine their own "best practices" with regard to the acceptance of electronically-signed authorizations, but remain obligated to verify the identity of persons signing HIPAA authorizations. The nature of electronic signatures makes it very difficult for a provider to rely only an electronically-signed HIPAA authorization when releasing records to a person other than the patient whose records are requested. And in some states, the UETA may not permit a covered entity to rely on an electronic signature at all absent other information that would clearly identify the person signing the authorization and his or her intent in providing the electronic signature in the transaction.