the signer execute or adopt a sound, symbol, or process with the intent to sign the record. Additionally, UETA requires that the electronic signature be linked or logically associated with the electronic record being signed.
UETA makes clear that anything electronic would suffice, including voice recordings, Web browser clicks, and other symbols or keystrokes to indicate intent. Under UETA, any type of digital information could be considered to be either a signature or a record, with the totality of all the circumstantial evidence—both digital and real world—both relevant and necessary 5 .
State Law
Individual states may have laws or regulations defining authorization content or limiting the time period for which an authorization may be valid. For example, some state laws require that authorizations to disclose HIV records are separate and apart from any other authorizations an individual may sign for release of protected health information. When such laws or regulations exist, consult section 160 of the HIPAA Privacy Rule to determine how to apply the preemption requirements.
Invalid Authorizations
The privacy rule declares any authorization invalid with the following defects:
l The expiration date or event has passed or already occurred l The authorization is missing one or more items of content described above l The authorization is known to have been revoked l The authorization violates a Privacy Rule standard on conditioning or compound authorizations l Material information in the authorization is known to be false
Perhaps one of the unintended consequences of the Privacy Rule is that handwritten, patient-generated authorizations may often be invalid under the rule, as most do not contain an expiration date or a statement about the individual’s right to revoke the authorization. To minimize the number of invalid authorizations received, the covered entity may wish to include a blank copy along with other materials provided to patients at the time of admission or may want to post its authorization form on its website and encourage individuals to review or complete prior to arrival. Covered entities also may want to provide instructions for obtaining the authorization form on appropriate automated telephone messages. In addition, covered entities may find it beneficial to distribute new authorization forms to organizations that routinely request patient health information, such as local law firms, insurance companies, and law enforcement agencies.
Recommended Practices
Privacy and security experts recommend HIPAA-covered entities adhere to the following practices:
l Study both federal and state requirements for authorizations l Draft an authorization form that complies with federal and state laws and regulations (see “Sample Authorization to Use or Disclose Health Information,” in appendix A) l Ask the risk manager and legal counsel to review your draft authorization form l Update or generate new policies and procedures relative to the new authorization l Order appropriate quantities of the approved authorization form l Educate and train staff
Copyright © 2013 by The American Health Information Management Association. All Rights Reserved.
Powered by FlippingBook