It goes without saying that social distancing has changed everything, both in our personal and work lives. When we are doing as much as we can remotely – including going to the doctor – health information management (HIM) leaders need to quickly find ways to ensure that we continue to keep Protected Health Information (PHI) confidential even when we cannot collect traditional, signed authorizations. As HIM professionals, it’s critical for us to establish or refine our policies and procedures to establish a protocol for the acceptance of remote requests and authorizations that enable secure PHI access and disclosures without barriers to patient PHI access.
That’s where “electronic” signatures come in.
Since 2000, electronic signatures have been permitted and legally enforceable, but until now, many healthcare organizations have relied on physical signatures in an effort to better protect patient confidentiality. In today’s environment, accepting electronic signatures is no longer optional – it has become the norm for the foreseeable future. To support continued PHI access during COVID-19, HIPAA has softened its guidelines related to alternative forms of signatures, which include:
- Digital signatures are used to secure and prevent tampering of the document using a mathematical algorithm to verify the signer; a certificate proves the authentication of the signer (e.g., Verisign, DocuSign)
- Electronic or e-signatures can be captured in several ways, including a scanned image of a person’s ink signature, handwritten signature created with a stylus, fingertip, or mouse on a screen, or a checked “I agree” box with the name or initials typed in afterwards; e-signatures are easy to use, but are less authentic and cannot be verified
- Voice signatures use a recorded verbal agreement instead of a handwritten signature, usually involving a series of questions that the signer must answer before the voice signature is applied
If voice signatures are permissible, are verbal requests acceptable for releasing PHI?
The short answer is yes. Accepting verbal requests is the decision of the healthcare provider (see OCR FAQs). But if you decide to accept verbal requests, it’s imperative that you define what information is required for a valid verbal request and the authorization.
Verbal requests should include the same information captured on your authorization form. For our clients who accept verbal requests, Ciox requires our release of information (ROI) specialists to document the following information (at a minimum):
- Date of the verbal request
- Description of the records to be disclosed, including dates of service
- Method of delivery
- Address where information is to be sent
- If requested by a patient’s representative, a description of the relationship and authority of the representative must be provided
When accepting voice signatures, clear guidance must be outlined on what specific information is required to verify the identity of the person who is giving the verbal authorization. The required information must be found in the medical record, such as date of birth, home address, and/or telephone number.
Tip from Ciox Compliance Team
As part of the verification process, include a question about something that is unique to the requester – something even their spouse wouldn’t know. This ensures that no one but the patient can authorize the release of their PHI.
Protecting patient privacy and ensuring regulatory compliance is a critical component of ROI and the disclosure of PHI. The continuous review and refinement of policies and procedures is critical and certainly highlighted in situations like today’s COVID-19 pandemic. Finding the balance between adaptability to a more virtual environment and rigor to continue to protect patient privacy is the key to successfully managing compliant, secure, ROI operations.