Memorandum on the Electronic Delivery & Execution of Documents Required under HIPAA – Excerpt from Nelson Mullins LLP Legal Analysis (with the full analysis is available from RPost).
Based on the Nelson Mullins analysis below, Nelson Mullins concludes:
(1) An RPost electronic signature can be used when a signature is required by a document governed by HIPAA, and is as legally enforceable and legally effective as a “wet ink’ signature;
(2) RPost can be used to deliver documents electronically in conformity with the technical safeguard standards of HIPAA relating to the security of electronic communications of electronic PHI; and
(3) Where notification is required by HIPAA and in the great majority of U.S. jurisdictions in which UETA applies, RPost’s core Registered E-mail™ service does provide the sender with legally valid evidence that notice has been accomplished under HIPAA, as long as RPost’s resulting Registered Receipt™ e-mail reports at least successful delivery to the recipient’s mail server.
Secure Electronic Communication and Transmission Requirements under HIPAA
Although the HIPAA Security Regulations specifically contemplate the secure transmission of electronic protected health information (“PHI”), neither the Administrative Simplification provisions of HIPAA nor any of the regulations promulgated under those provisions as of the date of this Memorandum contain any prohibition or requirement of use of electronic delivery of documents governed by HIPAA. The HIPAA Security Regulations strongly encourage covered entities to “[i]mplement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.” Furthermore, such regulations also encourage covered entities to “[i]mplement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
The security of electronic transmissions containing PHI was considered important by the DHHS. In the draft of the HIPAA Security Regulations published in August of 1998, the DHHS suggested requiring all such communications to be encrypted when transmitted over “open networks” such as the Internet or dial-up lines. The encryption requirement was removed after the DHHS received an “overwhelming majority” of public comments voicing strong objections to the financial and technological burdens associated with mandatory encryption when using any media other than the Internet. Unfortunately, as noted below in the DHHS commentary, the requisite technology for secure electronic communications was not yet widely available when the final HIPAA Security Regulations were released in 2003. The DHHS noted as follows: Thus, we agree that encryption should not be a mandatory requirement for transmission over dial-up lines. We also agree with commenters who mentioned the financial and technical burdens associated with the employment of encryption tools. Particularly when considering situations faced by small and rural providers, it became clear that there is not yet available a simple and interoperable solution to encrypting email communications with patients. As a result, we decided to make the use of encryption in the transmission process an addressable implementation specification. Covered entities are encouraged, however, to consider use of encryption technology for transmitting electronic protected health information, particularly over the internet.
As business practices and technology change, there may arise situations where electronic protected health information being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis showed such risk to be significant, we would expect covered entities to encrypt those transmissions, if appropriate, under the addressable implementation specification for encryption. A “covered entity” is one or more of the following types of entities: (a) a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA; (b) a health care clearinghouse; or (c) a health plan. 45 CFR § 160.103.
Although its technology was developed in other contexts, RPost’s technology appears to be particularly well positioned to satisfy HIPAA’s technical safeguard provisions regarding the preservation and secure transmission of electronic PHI. RPost’s Registered E-mail™ messages may be sent using RPost’s end-to-and encryption service, and such PHI is not stored on a central server controlled by the Company. The company’s Registered Receipt™ e-mail includes an encrypted copy of a sender’s original message and all attachments as they were received by the recipient’s server. Anyone in possession of that receipt, as attested by the Company, is able to verify the authenticity of the data it contains by sending a copy of the receipt to an e-mail address controlled by the Company where the Company’s cryptographic methods are used to determine if information in the receipt has been altered, employing hash algorithms and RSA/PKI signatures. Once verified as authentic, RPost regenerates the validated electronic original e-mail and all attachments and returns a copy to the sender (or recipient, or both as an option).
Because neither HIPAA nor any of the regulations promulgated under it specifically address the use of electronic signatures and HIPAA is not specifically excluded from ESIGN or UETA, UETA would apply to electronic signatures used in intrastate transactions in UETA states and the provisions of ESIGN would apply to electronic signatures used in interstate transactions and in non-UETA states if the laws of those states were inconsistent with ESIGN. Specifically, Section 7(a) of UETA and Section 101(a) of ESIGN state that a signature may not be denied legal effect or enforceability solely because it is in electronic form. Therefore, an RPost electronic signature can be used when a signature is required by a document governed by HIPAA, can be as legally enforceable against the signing party as would a “wet ink” signature and can be legally effective under HIPAA.
With respect to the electronic delivery of documents governed by HIPAA, the HIPAA Security Regulations specifically contemplate the secure transmission of electronic PHI, but neither the administrative Simplification provisions of HIPAA nor any of the regulations promulgated under those provisions as of the date of this Memorandum contain any prohibition or requirement of use of electronic delivery of such documents. Accordingly, the RPost’s technology can be used to deliver such documents electronically in conformity with the technical safeguard requirements of the HIPAA Security Regulations relating to the integrity and security of electronic communications of electronic PHI. Finally, where notification is required by HIPAA and in the great majority of U.S. jurisdictions in which UETA applies, RPost’s core Registered E-mail™ service does provide the sender with legally valid evidence that notice has been accomplished under HIPAA, as long as RPost’s resulting Registered Receipt™ e-mail reports at least successful delivery to mail server.