Under the HIPAA Privacy Rule, a doctor or hospital may require individuals to make requests for their records in writing, and in the case where the individual is asking for his or her records to be sent directly to a third party designee, the request is required to be “in writing, signed by the individual,” and it must “clearly identify” both the third party designee and where to send the copy of the information (45 CFR 164.524(c)(3)(ii)). However, the HHS Office for Civil Rights (which develops policy for and enforces the HIPAA Privacy Rule) has said in guidance that doctors or hospitals cannot require individuals to make their requests for information in person, or by mail — so how else can an individual, signed request for information be submitted?
Via the internet, of course; the medium with which countless people around the world communicate on a daily basis. For example, many of us have used the online service Docusign to authorize or sign a digital signature that is acceptable in other contexts, such as signing for a loan, submitting documents to governmental authorities, or enacting a residential lease. Yet, we’ve found that Docusign doesn’t seem to pass muster when it comes to patient requests for their health records!
OCR has clearly said that “the Privacy Rule allows for electronic documents to qualify as written documents for purposes of meeting the Privacy Rule’s requirements, as well as electronic signatures to satisfy any requirement for a signature, to the extent the signature is valid under applicable law.” (78 Federal Register 5566, at 5634 (Jan. 13, 2013)). HIPAA itself has no specific standards for electronic signatures, but the Federal E-Sign Act broadly recognizes the validity of electronic signatures in most contexts (there are exceptions, but none apply to the circumstance of patients seeking their health information).
Therefore, individuals seeking to have copies of their health records sent to Ciitizen or any third party of their choice should be allowed to submit a digital request that includes a digital signature, right?
The answer should be yes, yet we have found that too many health care providers “do not accept electronic signatures” on patient requests for access (a direct quote from some of the rejections we have received). While it is true that the Privacy Rule does not include an express requirement to accept an electronic signature on a patient request for access and, as far as I can tell, the Federal E-Sign Act does not require an entity to accept an electronic signature, I have to ask: should the rejection of such a signature, when it meets reasonable commercial standards for acceptability, be seen as imposing a burden on individuals seeking to exercise their access rights?
See our blog post on Thursday for more on our experiences submitting electronic requests on behalf of our users with a digital signature.