Question:
We have a patient who has a third party assisting him with care. We sent the patient an ROI and the third party returned it to us with digital signatures and digital initials. Is this document legal or do the signatures and initials need to be handwritten and submitted by the patient instead of the third party?
Answer:
Digital signatures can be in compliance with HIPAA if certain criteria are met. This includes things like user authentication (i.e., validating that the person signing is actually them, e.g., two-step verification), message integrity (e.g., preventing editing the agreement after it's been signed), and non-repudiation (an audit trail indicating dates/times/chain of custody so a signatory cannot deny having signed the agreement). See this Resource Guide for more information.
It sounds like the above criteria have not been met in this case, so we would not recommend using digital signatures for this ROI. That being said, the HIPAA Privacy Rule allows you to make disclosures without the individual's authorization if, in your professional judgment, it is in their best interest. If this is the case here, you wouldn't need an ROI signed. But if you'd like one on file for this third party, we'd recommend a wet signature or using HIPAA-compliant digital signature software.
____
The Real Talk article series includes real customer questions and our answers. Since these are questions directly from actual clinics, practices, hospitals, and businesses, we thought you might have these questions too. We hope that you find this format helpful. Stay tuned for more Real Talk - your question might even be featured!