Electronic signatures and privacy

Electronic signatures and privacy legislation

Privacy legislation is extremely important. It protects our personal information from being sold and misused. Every day at Medchart privacy and security are our number one priority.

What we want to talk about today is using electronic signatures for releasing personal health information. There is considerable misunderstanding related to both federal and provincial legislation regarding providing an "original" signature as authorization for releasing sensitive personal health information. Read on to learn exactly what parts of our country's legislation ensures patients have convenient and transparent access to their own health information. Including with the use of electronic signature.

Should you accept electronic signatures (esig) for medical record requests?

Yes.

In situations where a patient consent signature is required (e.g., for release of information), an electronic signature is generally treated by the legislation and the relevant regulatory bodies as equivalent to a handwritten signature. Section 11(1) of the Electronic Commerce Act, which applies to the Personal Health Information Protection Act, outlines the validity of electronic signatures:

11 (1) Subject to subsections (3) and (4), a legal requirement that a document be signed is satisfied by an electronic signature. 2000, c. 17, s. 11 (1).

Reference: https://www.ontario.ca/laws/statute/00e17

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), a secure electronic signature must be under the sole control of the person making the signature; the technology or process used to make the signature must be under the sole control of the person making the signature; that specific technology or process must have the capability to be used to identify the person; and the electronic signature can be linked with an electronic document in a way that will allow one to determine if the document has been changed since the signature was attached to it.

Our federal privacy legislation ensures convenient access through electronic signing so long as that technology is in control of the patient, can be used to identify the patient and has an audit trail of any changes.

DocuSign's eSignature service is an example of such a technology that meets the above privacy requirements for electronic signature, making it fully compliant and accepted for us in healthcare across Canada.

What if an organization requires an "original" hand-signed document?

The answer is still ... Yes.

If an institution asks for an original document in writing (i.e., ink signature) sent by mail then the legal requirement for those documents is satisfied by the electronic document.

Let's dive back into the Electronic Commerce Act, which applies to the Personal health information Protection Act. Sections 6(1), 7(1), and 8(1) outline requirements for providing information or a document in writing:

6. (1) A legal requirement that a person provide information or a document in writing to another person is satisfied by the provision of the information or document in an electronic form that is,
(a) accessible by the other person so as to be usable for subsequent reference; and
(b) capable of being retained by the other person. 2000, c. 17, s. 6 (1).
7. (1) A legal requirement that a person provide information or a document in a specified non-electronic form to another person is satisfied by the provision of the information or document in an electronic form that is,
(a) organized in the same or substantially the same way as the specified non-electronic form;
(b) accessible by the other person so as to be usable for subsequent reference; and
(c) capable of being retained by the other person. 2000, c. 17, s. 7 (1).
8. (1) A legal requirement that an original document be provided, retained or examined is satisfied by the provision, retention or examination of an electronic document if,
(a) there exists a reliable assurance as to the integrity of the information contained in the electronic document from the time the document to be provided, retained or examined was first created in its final form, whether as a written document or as an electronic document; and
(b) in a case where the original document is to be provided to a person, the electronic document that is provided is accessible by the person so as to be usable for subsequent reference and capable of being retained by the person. 2000, c. 17, s. 8 (1).

Reference: https://www.ontario.ca/laws/statute/00e17

In all cases, a requirement in legislation or institutional policy that requires hand written or "original" information and documents is equally valid as an electronic document if there is a record accessible for reference.

The Electronic Commerce Act clearly outlines the validity of electronic documents in Section 4:

4. Information or a document to which this Act applies is not invalid or unenforceable by reason only of being in electronic form. 2000, c. 17, s. 4.

Reference: https://www.ontario.ca/laws/statute/00e17

Regardless of if an institution has a policy regarding the use of electronic signatures, or even if they do have a policy against accepting electronic signatures, provincial legislation clearly outlines that electronic documents are equivalent and can not be rejected for being in an electronic form.

At Medchart we use DocuSign's privacy compliant eSignature Service for every authorization for release of information. This ensures we maintain the highest level of convenience, privacy and security for patients.