E-SIGN: What Awaits the Healthcare Industry?
August 2000
I. Electronic Signatures Are Valid
On June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act (E-SIGN).1 E-SIGN becomes effective on October 1, 2000, and provides that electronic signatures and electronic contracts in interstate commerce may not be denied legal effect merely because they are in electronic form. E-SIGN offers the opportunity for fast, cost-effective transactions across all industries. Given the healthcare industry’s uniquely personal scope, however, traditional contract principles, such as mental capacity and confirmation that one’s consent is informed, will remain critical components of patient-physician-health plan transactions and are not easily replaced in an electronic environment. Accordingly, Congress and individual states (and healthcare lawyers) will, by necessity, need to grapple with the numerous issues raised by the interaction between E-SIGN, existing state health laws, and current and future health industry standards and practices.
E-SIGN provides that contracts involving interstate and foreign "transactions" cannot be invalidated merely because they are "executed" electronically. The Act defines a transaction as "an action or set of actions relating to the conduct of business, consumer or commercial affairs between two or more persons." Congress did not intend to regulate electronic commerce by enacting E-SIGN nor did Congress require that parties enter into any contract electronically. Rather, E-SIGN attempts to enhance the validity of electronically created contracts and records, and reduce the confusion that may exist among parties to an electronic agreement concerning the enforceability of electronically-executed contracts. The Act does not, however, provide any assurances as to the type of authentication procedures that will be sufficient to constitute an electronic signature. Similarly, the Act avoids approving any particular technology, apparently recognizing the impossibility of the law keeping up with the speed at which technology is changing. Consistent with this recognition, E-SIGN broadly defines an "electronic signature" as "an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with intent to sign the record."
While protecting the validity of electronic contracts, presumably to benefit electronic vendors and sales of their products and services, the drafters of E-SIGN were careful to provide consumer protections in the legislation. For example, E-SIGN requires that consumers affirmatively consent to participating in an electronic transaction if under applicable law that same transaction would have required a writing in a non-electronic setting. In addition, consumers must be provided with clear and conspicuous statements about the following: (i) their right to obtain a paper version of the record or agreement; (ii) their right to withdraw their consent to participate in the transaction electronically and the process involved in withdrawing such consent; and (iii) the transaction(s) and record(s) to which the consent to electronically participate applies. In addition, businesses that conduct electronic transactions are required to inform their customers of the hardware and software technical specifications that will be necessary to open, read and retain those agreements and records that are executed and/or maintained electronically.
E-SIGN, by its terms, does not apply to numerous transactions, including certain statutes governing wills, codicils and testamentary trusts; statutes governing adoption, divorce and matters of family law; cancellation of utility services; and a host of other consumer-oriented transactions and matters. Surprisingly, E-SIGN does not except from its coverage any healthcare transactions, including those involving informed consent, advance directives, and requests for medical records (all of which seem to involve the same kind of sensitive matters as wills, trusts and similar family law matters). Notably, E-SIGN confirms that it applies to the business of insurance, but explicitly protects insurance agents and brokers from liability arising from deficiencies in electronic procedures so long as the agent or broker has not engaged in negligent, reckless or intentional tortious conduct, has followed applicable electronic procedures, and has not been involved in the development of the electronic procedures. This kind of protection for agents and brokers is perhaps balanced by E-SIGN’s explicit provision that the cancellation or termination of health insurance or benefits is not covered by the Act, the result being that the
purchase of insurance can be done electronically, but its cancellation cannot.
Finally, as discussed below, E-SIGN specifies the extent to which it would pre-empt certain components of state law.
II. Relationship to State Law
By enacting E-SIGN, Congress intended to prevent states from circumventing the main objectives of the Act: to facilitate e-commerce and offer electronic signatures the same legal validity as "wet" signatures. E-SIGN provides that state law will apply (i.e., it will not be pre-empted by E-SIGN) if: (i) the state has adopted the Uniform Electronic Transactions Act (UETA) without any additional restrictions to UETA, or (ii) the state has enacted other procedures permitting the use and acceptance of electronic signatures if such "alternative procedures" do not undermine the intent of E-SIGN. E-SIGN, otherwise, preempts any state law that does not recognize the validity of an electronic contract, record and/or signature with respect to an interstate or foreign transaction. E-SIGN does not, however, prohibit a state from imposing security or privacy measures on the use of electronic signatures, records or contracts as long as the state law does not favor any particular type of technology to implement such security and/or privacy measures.
III. Implications for the Healthcare Industry
E-SIGN is aimed at promoting e-commerce by eliminating any barriers to the validity of electronic signatures and contracts, while maintaining established consumer protections. Nevertheless, as we have observed with the promulgation of proposed privacy regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)2 , the personal nature of healthcare makes its regulation (or de-regulation) substantially more controversial than industries involving traditional consumer goods (e.g., books). The implications to each healthcare industry player will vary, and not only will include the traditional players, such as hospitals, physicians and health plans, but also those e-healthcare companies that conduct their businesses across state lines via the Internet. In particular, the following entities will be affected in the following ways:
A. Hospitals. By ostensibly recognizing the validity of electronic patient registration, patient consent, advance directives, and medical records requests, inter alia, to be rendered over the Internet, E-SIGN represents an opportunity for hospitals to make pre-admission activities easier and do so presumably with less administrative staff, at least in the long run. Conducting these transactions electronically, however, is not without its significant risks such that, in some situations, it may not be reasonable to conduct a transaction electronically. For example, should a hospital obtain consent electronically for any procedure or obtain electronic signatures for advance directives? Can a consent obtained electronically satisfy the requirement that patients be "informed" under state law? Should it? Similarly, until authenticating technology such as retina sensors and other means of authentication is widely available, are these kinds of transactions so important that they should not be permitted to be conducted electronically? Should such transactions be treated under E-SIGN in the same manner as the execution of wills or divorce decrees (i.e., exempt from E-SIGN)? Because the vast majority of the non-Congressional promoters of E-SIGN were technology and Internet companies associated with the promotion of e-commerce generally, the unique characteristics of the health care industry may have been overlooked thereby leaving numerous issues to be addressed by the U.S. Commerce Department when it develops corresponding E-SIGN regulations.
B. Health Insurance and Health Plans. While health insurance companies will be able to provide and obtain completed applications and administrative materials via the Internet, they will not be permitted to cancel or terminate insurance contracts electronically. As a result, what kinds of additional steps will health plans need to take to ensure that their customer base understands the scope of the insurance being provided, particularly if customers conduct business electronically and never have an opportunity to discuss various issues in person with an agent? What kinds of issues will arise for consumers if they are harmed, but cannot hold agents and brokers responsible due to E-SIGN protections for these industry participants?
C. Prescriptions. It appears that E-SIGN has given the electronic transmission of a prescription the same legal significance as an original "paper" prescription. Nevertheless, some states, even those that permit electronic prescriptions generally, still require the presentation of the "original" written prescription before the pharmacist is authorized to dispense certain controlled substances. Given the language and intent of E-SIGN, it is unclear whether a pharmacy still would need to obtain the original prescription before dispensing a controlled substance. The safety and diversion issues relating to many dangerous drugs suggest that Congress, the Drug Enforcement Agency, the Food and Drug Administration, and individual states will need address the apparent gaps among E-SIGN, DEA, FDA and certain state dispensing laws.
D. Group Purchasing Consortia. E-SIGN may help validate contracts electronically signed by group purchasing consortiums, thereby facilitating the enforceability of such agreements. Thus, will electronic signatures make it more likely that an increasing number of hospitals and other healthcare providers will conduct materials management on-line? If so, will purchasers have the same kind of confidence and receive the same level of product and service as they would if the product were purchased in-person and a sales representative made directly accountable?
E. Physicians. Physicians now may be able to "sign" and validate orders and prescriptions remotely, thus offering greater flexibility and opportunities to conduct their practices from multiple locations while maintaining adequate levels of documentation. However, additional opportunities for remote activity bring with them greater potential for medical errors and corresponding liability. As a result, hospitals and their medical staffs will be forced to review and revise their policies concerning completion of medical records, signing of orders and other matters previously conducted "on paper."
Given the sensitive relationship among individuals, their providers, and related health industry players, such as health plans, and the need for privacy and confidentiality, Congress and regulators will need to continue to evaluate these and other implications of E-SIGN. This is particularly important because an electronic signature, in certain instances, will lack the opportunities for verification as compared with a paper contract signed in the presence of the other contracting party (or at least the contracting party’s representative, e.g., a nurse, clerk or physician) and the inherent veracity offered by an individual’s unique "wet" signature.
IV. Relationship to HIPAA
The impact of E-SIGN on certain provisions of HIPAA appears to be relatively clear. Under the proposed HIPAA regulations, individuals have certain rights regarding their health information. Some of these rights involve a requirement to provide individuals with written notices (e.g., notice of policies, procedures and practices regarding the use and disclosure of protected health information) or to obtain written authorizations from individuals (e.g., to permit the use or disclosure of protected health information). E-SIGN attempts to make clear that to the extent HIPAA requires written authorizations or notices, the use of electronic signatures is valid, as long as the individual’s consent to do so electronically is obtained and the other consumer protections mandated by E-SIGN are provided.
It is less clear, however, whether E-SIGN requires an individual’s consent to utilize electronic means to transfer health information, assuming the appropriate authorizations to disclose information have been obtained. Under HIPAA, the Department of Health and Human Services (DHHS) has been charged with developing standards for financial and administrative transactions, and data elements for those transactions, to enable health information to be exchanged electronically. Among the information for which standards are mandated are health claims, health encounter information, health plan enrollments and disenrollments, health plan eligibility, healthcare payment, and referral certification and authorization. In particular, the proposed security regulations promulgated under HIPAA would subject an entity’s use of electronic signatures to specific standards as well, and it seems reasonable to conclude that an entity will remain subject to these HIPAA standards, regardless of any different requirements imposed by E-SIGN.
While the full relationship between E-SIGN and HIPAA should become more clear once the final HIPAA regulations are issued, some concern arises about the interplay between E-SIGN and HIPAA given that the HIPAA standards for disclosure of health information (currently under development) arise from transactions between a consumer, health plan and/or physician and are covered by E-SIGN. The ability to transfer this health information electronically may then be subject to the E-SIGN consent requirements. If so, HIPAA’s goal of "administrative simplification" may be undermined because an individual’s consent would be necessary under E-SIGN before health information validly may be transferred electronically. It appears that DHHS has assigned at least one of its general counsel staff to evaluate the legal issues, if any, in coordinating E-SIGN and HIPAA.
1 S. 761, 106th Cong. (June 30, 2000).
2 Pub. L. No. 104-191, 110 Stats. 1936 (Aug. 21, 1996).
