Developers and HIPAA

HIPAA E-Signature Compliance

We are developing an iOS App that will be used by a collaborative group of agencies that provide care services to members of the community. Most agencies are Medicaid paid related but the cooperative includes non-healthcare community agencies that are 'referral partners'. If a member of a participating agency engages a member of the community that needs some form of care, the agency uses our App to complete a Referral Application for the Client/Patient.

 

The referral application may include a 'signed release' from the Client/Patient that authorizes members of the cooperative to collaborate and direct the Client/Patient to the agency/agencies that can help them. The Client/Patient signs the referral application by drawing their signature using their finger on the App screen. The signed release is a PDF file. There is also a related Intake form that the Client/Patient may sign later during their care program. Signing is much like what a patient would do in a doctor's office using a dedicated signature device, except that we're using an iOS based device (e.g., iPhone) in the field used by a referral partner (i.e., agency member of the cooperative).

 

The electronic signature standard (https://aspe.hhs.gov/report/nrpm-security-and-electronic-signature-standards/electronic-signature-standard) indicates to use a digital signature. However, the Client/Patient is the signature authority. As such, it's not possible or practical to obtain a Document Signature certificate that can be used to digitally sign the document (e.g.., release agreement) using the App because the private key would not have been issued to the Client/Patient. However, an option could be to digitally sign the document via our servers (i.e. proxy server for Client/Patient) to certify that the document has not changed once signed; but the 'signature authority' would be our server and not the Client/Patient. By the way, I suspect that DocuSign gets around this problem with e-signatures by using email as a way to authenticate the signer (i.e., email document to be signed by client).

 

If the signed document is digitally signed by our servers (i.e., proxy server for digital signature) and stored, is this process compliant with the electronic signature standard for signing the Release Agreement and optional Intake form for the Client/Patient? If not, what alternatives are available using an iOS-Based App that is running on an iPhone that does not belong to the Client/Patient (keep in mind that we could take a picture of the client's driver's license at time of signature if that helps)?

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Voting

1 vote
1 up votes
0 down votes
Question No. 100