April 21, 2016

QUESTION:        We received a HIPAA authorization form via e-mail, requesting a copy of the patient’s medical record for life insurance verification purposes.  There is no signature on the form – just a typewritten name and some information regarding when the electronic signature occurred.  Does this type of signature satisfy HIPAA’s requirement that authorization forms be “signed” by the patient?

ANSWER:           Yes.  The Health Insurance Portability and Accountability Act (“HIPAA”) does not require the signature on an authorization form to be physically placed there by the patient, signing with a pen.  Rather, so long as the applicable state (the state where the patient is located and/or the state where the hospital is located) recognizes an electronic signature as legally binding and valid, it is fine for the authorization form to be signed electronically.  In our experience, most states recognize electronic signatures as valid equivalents to signatures, for most purposes.  But, you should check with counsel and have them research the applicable state law, to be sure.

Note the following FAQ from the Department of Health and Human Services Office of Civil Rights’ web page at http://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/:

How do HIPAA authorizations apply to an electronic health information exchange environment?

The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule.  For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions.  Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange.  However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required.  In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization.  Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
Created 12/15/08