Electronic Records and Signatures in Healthcare and the Interplay of E-Sign, HIPAA and UETA
The healthcare industry is highly regulated by a complex statutory and regulatory framework at every level. Electronic commerce in such a highly regulated industry presents some challenges to say the least. States have approached e-commerce in a myriad of ways, leaving consumers and businesses confused as to whose law applies. Through its legislative efforts, Congress attempted to provide for uniform standards across state lines by passing the Electronic Signatures in Global and National Commerce Act (S. 761, 106th Cong. (2000), 15 U.S.C. Sections 7001 et. seq.), an act which essentially pre-empts many of the conflicting state laws heretofore governing e-commerce. The Federal Electronic Signatures in Global and National Commerce Act ("E-SIGN") seeks to foster electronic commerce by addressing some of the legal barriers and standardizing the rules for electronic transactions. Electronic records and signatures are essential elements of many electronic transactions, particularly in healthcare.
The interplay of E-SIGN, the Uniform Electronic Transactions Act drafted by the National Conference of Commissioners on Uniform State Laws ("UETA"), the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and various enacted and proposed regulations implementing HIPAA must be considered if electronic records and signatures are to be used in healthcare transactions.
E-sign
E-sign provides that, notwithstanding any statute, regulation, or other rule of law governing any transaction in or affecting interstate or foreign commerce, a signature or other record may not be denied legal effect solely because an electronic signature or record was used in its formation. Most provisions of E-sign took effect on October 1, 2000. On March 1, 2001, portions of the law governing record retention will become effective with respect to records required by a federal or state statute, regulation, or other rule of law administered or promulgated by a state regulatory agency, although state or federal agencies may extend that date to June 1, 2000.
Records
E-SIGN provides guidance on how records may be stored and retained electronically. If a document is required to be retained by law, an electronic version of the document will be acceptable if the electronic document accurately reflects the information in the record and is accessible to all relevant people in a form that may be accurately reproduced at a later date, whether by printing, electronically transmitting or other means. No specific type of technology is mandated by E-SIGN. The law is technology neutral, allowing individual parties to choose the technology that best suits their needs. The term "electronic" is defined broadly in E-SIGN and means related to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or other similar capabilities. Under E-SIGN, the term "transaction" means an action or set of actions relating to the conduct of business, consumer or commercial affairs between two or more persons. The term "electronic record" means a contract or other record created, generated, sent, communicated, received or stored by electronic means.
Certain kinds of records are excepted from E-SIGN. Those records include: court orders or notices and other official documents required to be executed in connection with court proceedings; notices of cancellation or termination of utility services; notices of default and acceleration, repossession, foreclosure, eviction or the right to cure under a mortgage or lease agreement for an individual's primary residence; notices of the cancellation of health insurance or benefits or life insurance benefits; notices of the recall of a product or material failure of a product that risks endangering health or safety and any document required to accompany the transportation or handling of hazardous, toxic, or other dangerous materials. Additionally, E-SIGN is not applicable to laws governing family law matters such as adoption and divorce, nor does E-SIGN apply to writing or signature requirements imposed under laws governing the creation and execution of wills, codicils or testamentary trusts or certain sections of the Uniform Commercial Code. The E-SIGN exception for wills raises at least one question for healthcare providers and that is whether living wills which are signed or created electronically will be effective.
A general familiarity with E-sign is critical for any entity conducting electronic health care transactions inasmuch as such transactions are heavily regulated by federal and state agencies. Three of E-sign's subsections specifically preserve the authority of federal and state agencies to establish standards governing the retention or filing of records. Section 104(a) of E-sign preserves the authority of state and federal agencies to require that records filed with the agency comply with specified standards and formats. Section 104(b) allows state and federal agencies to issue regulations that interpret E-sign, within the scope of their authority, so long as there is a substantial justification for the regulations and so long as the regulations are consistent with E-sign and technology neutral. Section 104(b) also allows state and federal agencies to specify performance standards to assure the accuracy, record integrity, and accessibility of records that are required to be retained. The standards may require a nonelectronic format if there is a compelling governmental interest relating to law enforcement or national security justifying the requirement and the requirement is essential to attaining such interest.
All three of these subsections are limited by Section 101(b)(2), which requires a governmental agency to agree to use or accept electronic records or electronic signatures, except with respect to contracts to which the governmental agency is a party. Accordingly, while it is clear that an agency can specify standards and formats for electronic records or electronic signatures which must be retained by a party or filed with the agency, it does not appear that the agency can require a non-electronic format without establishing a compelling reason for doing so.
Signatures
Under E-SIGN, the term "electronic signature" means an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Again, no particular technology is required by E-SIGN for electronic signatures. Instead, the law allows the parties to select the method of authentication that best suits their needs and security concerns. Both HIPAA and UETA provide more guidance on authentication of electronic signatures than does E-SIGN.
Special Consumer Protections
The term "consumer" means an individual who obtains, through a transaction, products or services which are used primarily for personal, family or household purposes. E-SIGN imposes special requirements on anyone obligated to provide written disclosures to consumers. Those special requirements are imposed to ensure that consumers can make fully informed decisions about electronic transactions and to provide some protection for consumers. Essentially, E-SIGN provides that the consumer must have affirmatively consented to receive the required information electronically. Before consenting, the consumer must receive clear and conspicuous information about the consumer's rights to obtain information on paper, the right to withdraw consent and the procedures for doing so, whether the consent relates to a single transaction or for categories of records and how to obtain a paper record, among other things.
Under E-SIGN, threshold questions in healthcare are whether a proposed arrangement is a transaction for purposes of E-SIGN, whether the transaction is affecting or in interstate commerce, whether a consumer is involved and what exceptions, if any, apply. If it is assumed that E-SIGN applies to electronic healthcare transactions (and in most cases that may be a reasonable assumption), there still are many unanswered questions about how electronic commerce in healthcare should be conducted.
HIPAA
HIPAA was originally intended to improve the availability of health insurance for American workers and their families. Another goal of HIPAA was to reduce the administrative costs and burdens of healthcare by establishing uniform standards for healthcare data and facilitating electronic healthcare transactions. The section of HIPAA relating to electronic healthcare transactions and discussed in this article is also referred to as the "administrative simplification provisions of HIPAA."
Because of the sensitive nature of healthcare information, HIPAA also requires rules to be issued addressing standards to protect the privacy and security of health information communicated electronically. Extensive rules have been proposed regarding, among other things, electronic signatures, privacy and security in covered healthcare transactions. The only final HIPAA rules issued under the administrative simplification provisions are those pertaining to standards for electronic transmission of healthcare data.
HIPAA applies to health plans, healthcare clearinghouses or healthcare providers who transmit any protected health information in electronic form in connection with a covered transaction. Under the proposed HIPAA regulations, the term "transaction" means the exchange of information between two parties to carry out financial and administration activities related to healthcare. Such transactions generally include: health claims; healthcare payments; coordination of benefits; enrollment and disenrollment in a health plan; health plan premium payments; referral certifications and authorizations.
HIPAA will pre-empt contrary state law, with certain exceptions. Exceptions are recognized for state laws which: address controlled substances; require the reporting of disease, injury, child abuse, and the like; where state law on the privacy of health information is more stringent than HIPAA or the Secretary of the Department of Health and Human Services ("HHS") determines the state law in question is necessary.
Records
HIPAA does not define the term "records." Instead, the proposed regulations define the term "health information" broadly as any information, whether oral or recorded in any form or medium that: (1) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or healthcare clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present or future payment for the provision of healthcare to an individual. The breadth of this definition would extend the reach of HIPAA beyond electronic records to potentially any health information or records within the possession or control of the entities referenced.
Essentially, the proposed HIPAA regulations would limit the use or disclosure of an individual's health information by a covered entity to carry out treatment, payment or healthcare operations, in which case the consent of the individual is not required or pursuant to an individual's authorization. The proposed HIPAA regulations address the content of notices or information that must be provided by covered entity to individuals, but the method of communication is not explicitly addressed.
Questions about notices to individuals that arise when considering the interplay of HIPAA, E-SIGN and UETA include whether the consumer protections in E-SIGN will be applicable to communications between patients and healthcare providers or other entities covered by HIPAA. As noted above, a consumer for purposes of E-SIGN is an individual who obtains, through a transaction, products or services which are used primarily for personal, family or household purposes. If one assumes that a patient who receives healthcare or purchases insurance is obtaining such products or services for personal use, then must the patient be forever classified as a consumer with respect to that entity such that the consumer protections of E-SIGN would apply to all communications with the patient? Will a patient be obtaining services for personal use if he or she is given an annual physical as required, or paid for by an employer? If an individual obtains products or services while using a computer at work, there may also be uncertainty about whether the products or services are for personal or business purposes. These are just a few of the uncertainties facing the healthcare industry as it moves to embrace e-commerce. Hopefully, the final HIPAA regulations will provide some additional guidance on these and other issues now that E-SIGN has become law.
Electronic Signatures
An electronic signature under HIPAA means the attribute affixed to an electronic document to bind it to a particular party. An electronic signature secures the user authentication (proof of claimed identity) at the time the signature is generated; creates the logical manifestation of signature (including the possibility for multiple parties to sign a document and have the order of application recognized and proven); supplies additional information such as time stamp and signature purpose specific to that user; and ensures the integrity of the signed document to enable transportability of data, interoperability, independent verifiability, and continuity of signature capability. Verifying a signature on a document verifies the integrity of the document and associated attributes and verifies the identity of the signer. If an entity uses electronic signatures, the signature method must assure all of the following features: message integrity; nonrepudiation; and user authentication. No specific technology is mandated by HIPAA, and it too appears to be technology neutral.
UETA
The use of electronic records and signatures in healthcare transactions may also be affected by state law. E-SIGN does not wholly pre-empt state law. Rather, it allows a state to "modify, limit or supercede" E-SIGN through the passage of a law which either: (1) parallels the official version of UETA, without any variations which are technology-specific or inconsistent with E-SIGN, or (2) specifies alternative procedures or requirements for the use or acceptance (or both) of electronic records and electronic signatures that are consistent with E-SIGN and not technology-specific.
UETA provides generally that, so long as the parties to a transaction agree to an electronic transaction, a signature or other record may not be denied legal effect solely because it is in electronic form. UETA also provides that a contract may not be denied legal effect solely because an electronic signature or record was used in its formation. Under UETA, electronic signatures and records satisfy laws that require signatures or written records, provided that laws other than UETA which require that records be sent, communicated, or transmitted by a particular method must, with limited exceptions, be followed. To date, twenty-three states have adopted UETA in some form. Parties utilizing electronic signatures and records in healthcare transactions governed in whole or in part by state law must, to the extent that the state has enacted a law like UETA which is consistent with E-SIGN, look to the state law to resolve any questions regarding the validity of the transactions.
The key provisions and definitions of E-SIGN are substantially similar to UETA. However, some differences exist. UETA provisions which are not addressed in E-SIGN include: the time when messages are deemed sent or received; errors in electronic contracting; and attribution of electronic signatures. Attribution of electronic signatures will be critical in healthcare transactions in that HIPAA and other sources of substantive state and federal law may have to be met. Another difference between UETA and E-SIGN is the consumer protections E-SIGN imposes, which are not found in UETA.
One point that UETA makes clear is that a transaction covered by UETA remains subject to other applicable substantive law. This is an important point to remember for those conducting electronic transactions in the highly regulated healthcare industry.
Summary
In sum, there is one safe rule to follow when determining which laws or regulations govern a particular healthcare transaction involving the use of electronic records or signatures: closely consider all of them. Assuming each is consistent with E-SIGN, it is highly likely each will apply.
Threshold questions must be considered to determine the applicability of E-SIGN, UETA and HIPAA to electronic transactions in healthcare. To analyze a healthcare transaction, it will be necessary to consider the following: who are the parties; are any of the parties explicitly covered by the laws under consideration; what is the nature of the proposed transaction; what information or records does the transaction involve; is the proposed transaction (such as signing a will) excluded from application of one of the laws, and, of course, what other federal and state substantive requirements apply. These analyses will be expedited by learning E-SIGN, HIPAA and UETA, and developing systems and procedures that comply with the laws. Initially, for the traditional healthcare industry, this will be a cumbersome process. At some point, a case by case analysis will no longer be practical. Either further regulatory guidance will be necessary or the healthcare industry must become more efficient in designing mechanisms to comply with all of the laws governing electronic records and signatures. The promises and potential cost savings of electronic commerce are too tempting, and the cost pressures within healthcare are too great to risk being left out of the e-commerce revolution.
The interplay of E-SIGN, the Uniform Electronic Transactions Act drafted by the National Conference of Commissioners on Uniform State Laws ("UETA"), the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and various enacted and proposed regulations implementing HIPAA must be considered if electronic records and signatures are to be used in healthcare transactions.
E-sign
E-sign provides that, notwithstanding any statute, regulation, or other rule of law governing any transaction in or affecting interstate or foreign commerce, a signature or other record may not be denied legal effect solely because an electronic signature or record was used in its formation. Most provisions of E-sign took effect on October 1, 2000. On March 1, 2001, portions of the law governing record retention will become effective with respect to records required by a federal or state statute, regulation, or other rule of law administered or promulgated by a state regulatory agency, although state or federal agencies may extend that date to June 1, 2000.
Records
E-SIGN provides guidance on how records may be stored and retained electronically. If a document is required to be retained by law, an electronic version of the document will be acceptable if the electronic document accurately reflects the information in the record and is accessible to all relevant people in a form that may be accurately reproduced at a later date, whether by printing, electronically transmitting or other means. No specific type of technology is mandated by E-SIGN. The law is technology neutral, allowing individual parties to choose the technology that best suits their needs. The term "electronic" is defined broadly in E-SIGN and means related to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or other similar capabilities. Under E-SIGN, the term "transaction" means an action or set of actions relating to the conduct of business, consumer or commercial affairs between two or more persons. The term "electronic record" means a contract or other record created, generated, sent, communicated, received or stored by electronic means.
Certain kinds of records are excepted from E-SIGN. Those records include: court orders or notices and other official documents required to be executed in connection with court proceedings; notices of cancellation or termination of utility services; notices of default and acceleration, repossession, foreclosure, eviction or the right to cure under a mortgage or lease agreement for an individual's primary residence; notices of the cancellation of health insurance or benefits or life insurance benefits; notices of the recall of a product or material failure of a product that risks endangering health or safety and any document required to accompany the transportation or handling of hazardous, toxic, or other dangerous materials. Additionally, E-SIGN is not applicable to laws governing family law matters such as adoption and divorce, nor does E-SIGN apply to writing or signature requirements imposed under laws governing the creation and execution of wills, codicils or testamentary trusts or certain sections of the Uniform Commercial Code. The E-SIGN exception for wills raises at least one question for healthcare providers and that is whether living wills which are signed or created electronically will be effective.
A general familiarity with E-sign is critical for any entity conducting electronic health care transactions inasmuch as such transactions are heavily regulated by federal and state agencies. Three of E-sign's subsections specifically preserve the authority of federal and state agencies to establish standards governing the retention or filing of records. Section 104(a) of E-sign preserves the authority of state and federal agencies to require that records filed with the agency comply with specified standards and formats. Section 104(b) allows state and federal agencies to issue regulations that interpret E-sign, within the scope of their authority, so long as there is a substantial justification for the regulations and so long as the regulations are consistent with E-sign and technology neutral. Section 104(b) also allows state and federal agencies to specify performance standards to assure the accuracy, record integrity, and accessibility of records that are required to be retained. The standards may require a nonelectronic format if there is a compelling governmental interest relating to law enforcement or national security justifying the requirement and the requirement is essential to attaining such interest.
All three of these subsections are limited by Section 101(b)(2), which requires a governmental agency to agree to use or accept electronic records or electronic signatures, except with respect to contracts to which the governmental agency is a party. Accordingly, while it is clear that an agency can specify standards and formats for electronic records or electronic signatures which must be retained by a party or filed with the agency, it does not appear that the agency can require a non-electronic format without establishing a compelling reason for doing so.
Signatures
Under E-SIGN, the term "electronic signature" means an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Again, no particular technology is required by E-SIGN for electronic signatures. Instead, the law allows the parties to select the method of authentication that best suits their needs and security concerns. Both HIPAA and UETA provide more guidance on authentication of electronic signatures than does E-SIGN.
Special Consumer Protections
The term "consumer" means an individual who obtains, through a transaction, products or services which are used primarily for personal, family or household purposes. E-SIGN imposes special requirements on anyone obligated to provide written disclosures to consumers. Those special requirements are imposed to ensure that consumers can make fully informed decisions about electronic transactions and to provide some protection for consumers. Essentially, E-SIGN provides that the consumer must have affirmatively consented to receive the required information electronically. Before consenting, the consumer must receive clear and conspicuous information about the consumer's rights to obtain information on paper, the right to withdraw consent and the procedures for doing so, whether the consent relates to a single transaction or for categories of records and how to obtain a paper record, among other things.
Under E-SIGN, threshold questions in healthcare are whether a proposed arrangement is a transaction for purposes of E-SIGN, whether the transaction is affecting or in interstate commerce, whether a consumer is involved and what exceptions, if any, apply. If it is assumed that E-SIGN applies to electronic healthcare transactions (and in most cases that may be a reasonable assumption), there still are many unanswered questions about how electronic commerce in healthcare should be conducted.
HIPAA
HIPAA was originally intended to improve the availability of health insurance for American workers and their families. Another goal of HIPAA was to reduce the administrative costs and burdens of healthcare by establishing uniform standards for healthcare data and facilitating electronic healthcare transactions. The section of HIPAA relating to electronic healthcare transactions and discussed in this article is also referred to as the "administrative simplification provisions of HIPAA."
Because of the sensitive nature of healthcare information, HIPAA also requires rules to be issued addressing standards to protect the privacy and security of health information communicated electronically. Extensive rules have been proposed regarding, among other things, electronic signatures, privacy and security in covered healthcare transactions. The only final HIPAA rules issued under the administrative simplification provisions are those pertaining to standards for electronic transmission of healthcare data.
HIPAA applies to health plans, healthcare clearinghouses or healthcare providers who transmit any protected health information in electronic form in connection with a covered transaction. Under the proposed HIPAA regulations, the term "transaction" means the exchange of information between two parties to carry out financial and administration activities related to healthcare. Such transactions generally include: health claims; healthcare payments; coordination of benefits; enrollment and disenrollment in a health plan; health plan premium payments; referral certifications and authorizations.
HIPAA will pre-empt contrary state law, with certain exceptions. Exceptions are recognized for state laws which: address controlled substances; require the reporting of disease, injury, child abuse, and the like; where state law on the privacy of health information is more stringent than HIPAA or the Secretary of the Department of Health and Human Services ("HHS") determines the state law in question is necessary.
Records
HIPAA does not define the term "records." Instead, the proposed regulations define the term "health information" broadly as any information, whether oral or recorded in any form or medium that: (1) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or healthcare clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present or future payment for the provision of healthcare to an individual. The breadth of this definition would extend the reach of HIPAA beyond electronic records to potentially any health information or records within the possession or control of the entities referenced.
Essentially, the proposed HIPAA regulations would limit the use or disclosure of an individual's health information by a covered entity to carry out treatment, payment or healthcare operations, in which case the consent of the individual is not required or pursuant to an individual's authorization. The proposed HIPAA regulations address the content of notices or information that must be provided by covered entity to individuals, but the method of communication is not explicitly addressed.
Questions about notices to individuals that arise when considering the interplay of HIPAA, E-SIGN and UETA include whether the consumer protections in E-SIGN will be applicable to communications between patients and healthcare providers or other entities covered by HIPAA. As noted above, a consumer for purposes of E-SIGN is an individual who obtains, through a transaction, products or services which are used primarily for personal, family or household purposes. If one assumes that a patient who receives healthcare or purchases insurance is obtaining such products or services for personal use, then must the patient be forever classified as a consumer with respect to that entity such that the consumer protections of E-SIGN would apply to all communications with the patient? Will a patient be obtaining services for personal use if he or she is given an annual physical as required, or paid for by an employer? If an individual obtains products or services while using a computer at work, there may also be uncertainty about whether the products or services are for personal or business purposes. These are just a few of the uncertainties facing the healthcare industry as it moves to embrace e-commerce. Hopefully, the final HIPAA regulations will provide some additional guidance on these and other issues now that E-SIGN has become law.
Electronic Signatures
An electronic signature under HIPAA means the attribute affixed to an electronic document to bind it to a particular party. An electronic signature secures the user authentication (proof of claimed identity) at the time the signature is generated; creates the logical manifestation of signature (including the possibility for multiple parties to sign a document and have the order of application recognized and proven); supplies additional information such as time stamp and signature purpose specific to that user; and ensures the integrity of the signed document to enable transportability of data, interoperability, independent verifiability, and continuity of signature capability. Verifying a signature on a document verifies the integrity of the document and associated attributes and verifies the identity of the signer. If an entity uses electronic signatures, the signature method must assure all of the following features: message integrity; nonrepudiation; and user authentication. No specific technology is mandated by HIPAA, and it too appears to be technology neutral.
UETA
The use of electronic records and signatures in healthcare transactions may also be affected by state law. E-SIGN does not wholly pre-empt state law. Rather, it allows a state to "modify, limit or supercede" E-SIGN through the passage of a law which either: (1) parallels the official version of UETA, without any variations which are technology-specific or inconsistent with E-SIGN, or (2) specifies alternative procedures or requirements for the use or acceptance (or both) of electronic records and electronic signatures that are consistent with E-SIGN and not technology-specific.
UETA provides generally that, so long as the parties to a transaction agree to an electronic transaction, a signature or other record may not be denied legal effect solely because it is in electronic form. UETA also provides that a contract may not be denied legal effect solely because an electronic signature or record was used in its formation. Under UETA, electronic signatures and records satisfy laws that require signatures or written records, provided that laws other than UETA which require that records be sent, communicated, or transmitted by a particular method must, with limited exceptions, be followed. To date, twenty-three states have adopted UETA in some form. Parties utilizing electronic signatures and records in healthcare transactions governed in whole or in part by state law must, to the extent that the state has enacted a law like UETA which is consistent with E-SIGN, look to the state law to resolve any questions regarding the validity of the transactions.
The key provisions and definitions of E-SIGN are substantially similar to UETA. However, some differences exist. UETA provisions which are not addressed in E-SIGN include: the time when messages are deemed sent or received; errors in electronic contracting; and attribution of electronic signatures. Attribution of electronic signatures will be critical in healthcare transactions in that HIPAA and other sources of substantive state and federal law may have to be met. Another difference between UETA and E-SIGN is the consumer protections E-SIGN imposes, which are not found in UETA.
One point that UETA makes clear is that a transaction covered by UETA remains subject to other applicable substantive law. This is an important point to remember for those conducting electronic transactions in the highly regulated healthcare industry.
Summary
In sum, there is one safe rule to follow when determining which laws or regulations govern a particular healthcare transaction involving the use of electronic records or signatures: closely consider all of them. Assuming each is consistent with E-SIGN, it is highly likely each will apply.
Threshold questions must be considered to determine the applicability of E-SIGN, UETA and HIPAA to electronic transactions in healthcare. To analyze a healthcare transaction, it will be necessary to consider the following: who are the parties; are any of the parties explicitly covered by the laws under consideration; what is the nature of the proposed transaction; what information or records does the transaction involve; is the proposed transaction (such as signing a will) excluded from application of one of the laws, and, of course, what other federal and state substantive requirements apply. These analyses will be expedited by learning E-SIGN, HIPAA and UETA, and developing systems and procedures that comply with the laws. Initially, for the traditional healthcare industry, this will be a cumbersome process. At some point, a case by case analysis will no longer be practical. Either further regulatory guidance will be necessary or the healthcare industry must become more efficient in designing mechanisms to comply with all of the laws governing electronic records and signatures. The promises and potential cost savings of electronic commerce are too tempting, and the cost pressures within healthcare are too great to risk being left out of the e-commerce revolution.
Contributors
Related Services & Industries