HIPAA: Life insurance company requests

From HcPro's free weekly newsletter HIPAA Weekly Advisor; check out their premium m monthly newsletter Briefings on HIPAA:

Q: Life insurance companies frequently request medical records from our family practice, and many now use electronic patient signatures. We compare the actual patient signature with the electronic signature as part of our HIPAA security procedures. Are electronic signatures acceptable? How can we determine whether life insurance companies have implemented appropriate security practices to prevent the theft or inappropriate use of electronic signatures?

A: Electronic signatures are acceptable and are subject to federal and many state laws. However, do not confuse electronic signatures with digital signatures. An electronic signature is usually an image file or picture of an individual’s signature.


A digital signature uses a form of encryption called public key infrastructure and clearly identifies the individual signer to the extent of providing nonrepudiation protection that prevents someone from later asserting, “I didn’t sign that.”


Electronic signatures were never designed to be secure. Federal and some state laws permit their use in place of a pen-and-ink signature. But forging an electronic signature simply by copying and pasting the image file into another document is relatively easy. Also, electronic signatures are not acceptable for certain transactions in some states. Signing authorizations to release medical information is one example. Review your state’s laws to determine when you may use an electronic signature.


HIPAA does not apply to the security practices of life insurance companies. However, state law pertaining to identity theft might apply.


A formal statement from a life insurance company regarding its security practices is probably the only assurance you can expect to receive, and it may be difficult to obtain.


However, your practice may refuse to accept electronic signatures (as opposed to digital signatures) because of security concerns about releasing patient information without valid authorization.


Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney with respect to  legal matters.


Have questions? I’m here to help.

This field is for validation purposes and should be left unchanged.