Electronic signatures can be legally valid to execute documents that require written signatures, and electronic documents can be legally valid when applicable laws require documents to be in writing.
However, healthcare providers continue to make basic errors when attempting to implement electronic signature protocols. These errors often occur within the context of healthcare providers attempting to ensure an accurate and complete medical record, institutions streamlining the patient consent process, and medical staff offices managing provider credentialing. A misstep can result in material liability if a dispute arises.
The following eight "rules of the road" are intended to assist healthcare providers in implementing and modifying e-signature protocols.
1. Clearly display the terms. Make sure that the relevant terms are clearly displayed to the party issuing an electronic signature. Courts don't look favorably upon parties making supposedly binding provisions intentionally difficult to read. Electronic agreements should be in reasonably sized fonts and should be easy to read. Further, the document should not be displayed in a tiny window that shows only a few lines of text at a time.
2. Clearly demonstrate consent. Your e-signature process should clearly demonstrate that the patient was aware that he or she was consenting to the matter at issue. First, the act of e-signing itself – whether it's checking a box, signing with a fingertip or some other method – should be a distinct action that is clearly presented as a consent acknowledgement to the party issuing the signature, rather than allowing the users to proceed by clicking only a generically labeled "Continue" or "Next" button. Second, you should inform the patient of the consequences of his or her e-signature in close proximity to the e-signature itself, for example, by placing the statement "by clicking here, you agree that..." directly next to a "click to agree" checkbox.
3. Provide an option to print or receive an emailed copy of the terms. Both the Uniform Electronic Transactions Act (UETA), which is the law in 47 states, and the federal Electronic Signatures in Global and National Commerce Act (E-Sign), which is the federal electronic signature law, require that electronic records be "retrievable" by both parties. In addition, the Uniform 1-4 Electronic Transactions Act specifically states that contract terms will not be enforceable against a person if he or she was inhibited from printing or storing the electronic record.
4. Keep a record. Record the date, time, user identification (name, email, username, etc.), and document version to which the user agreed. It does little good to obtain the user's consent if you can't prove it later when a dispute arises.
5. Avoid "browsewrap" and unilateral updates to agreements. This should be obvious, given the above, but "browsewrap" agreements – in other words, simply making your terms available via a link on your website without requiring the user to see them or agree to them – generally are unenforceable and offer little, if any, protection. In addition, avoid language stating that you can unilaterally update the terms of the agreement without providing the user notice or obtaining the user's consent. While it may be tempting to give yourself the power to make unilateral updates, if the contract is not binding on one party (and it's not binding on you if you can change it at any time), there is a great likelihood that it will be found not binding on anyone. If you want to update your contract, you need to notify the user of the updates and obtain consent again.
6. Verify identity. Best practice is to verify that the person who is "clicking to agree" is the person identified on the electronic document, and not the person's child or assistant, or an outright stranger. This will help you avoid arguments about whether the person who entered into the agreement actually had the authority to do so. There are a variety of ways to do this, depending on the level of certainty you're trying to achieve. The easiest way to verify identify is to implement a username and password authentication mechanism. Alternatively, users can answer questions to which only they should know the answers (there are services that will do this for you, often using information from the person's credit report). Another method of verification is to otherwise communicate with the person, either via email or phone, to validate the individual's identity. Finally, providers could use specialized software from companies like Docusign or Adobe.
7. Observe the "in writing" requirement. As mandated by the federal E-Sign Act, if a law requires you to provide disclosures or other information to a consumer "in writing," then before making that disclosure electronically, you should do the following.
a. Provide the consumer with a conspicuous statement of:
i. Any right or option to have the record in non-electronic form,
ii. The right to withdraw consent to have the record provided electronically and consequences of withdrawal such as termination or fees,
iii. Whether the consent applies to just that record or will be used generally,
iv. Procedures to withdraw consent or update the consumer's contact information,
v. The consumer's right to get a paper copy, including how to obtain it and any fees that will apply, and
vi. The hardware or software requirements necessary to receive the electronic disclosure.
b. Obtain the consumer's consent to receive these disclosures electronically in a manner that reasonably demonstrates that the consumer will be able to access the information in electronic form.
i. The best practice for PDFs is to provide a code in the PDF for the user to enter into a website (i.e., the user must have read the PDF to find the code to enter), but this may be overly burdensome on the patient.
ii. Another common practice is to have users verify through email or other means that they received and were able to access the information.
8. Consider other applicable law and guidance. Providers should consult with legal counsel to ensure that their electronic signature programs comply with applicable law and guidance. For example, with respect to human subject research, the U.S. Department of Health and Human Services' Office of Human Research Protections has indicated that the use of e-signatures requires the applicable IRB to consider three factors: (1) the creation of the e-signature, (2) whether the signature can be shown to be legitimate, and (3) whether the consent can be produced in hard or paper copy for review by the potential subject.
Similarly, the Medicare conditions of participation for hospitals provide that all patient medical record entries must be legible, complete, dated, timed and authenticated in written or electronic form by the person responsible for providing or evaluating the service provided, consistent with hospital policies and procedures. A surveyor auditing the hospital for compliance with this standard will assess a number of factors, including whether the hospital has a means for verifying written and electronic signatures, written initials, codes, and stamps when such are used for authorship identification. For electronic medical records, the surveyor will ask the hospital to demonstrate the security features that maintain the integrity of entries and verification of electronic signatures and authorizations, examine the hospital's policies and procedures for using the system, and determine if documents are being authenticated after they are created.
The McGuireWoods healthcare and technology and outsourcing practice groups combine to offer an experienced team able to manage the complex information technology challenges facing all sizes and varieties of healthcare companies. With the resources of a full-service law firm, we draw on an extensive knowledge base of best practices and an intimate familiarity with major healthcare IT vendors' market positions and business objectives. McGuireWoods' technology and outsourcing and healthcare attorneys are dedicated to supporting clients in a broad range of matters, including procurement, development, deployment and outsourcing of information technology.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.