Right now electronic signatures might seem like a distant memory for pharmacists, from a time, back in the pre-COVID-19 era, when things were “normal.”  For so long, the relatively simple practice of capturing a patient’s signature to validate a pickup was just a routine, expected part of the point-of-sale process.

That all changed though, in late March, when the Centers for Medicare & Medicaid Services (CMS), followed by pharmacy benefit managers (PBMs) issued guidance urging all states, including boards of pharmacies and Medicaid agencies, to temporarily waive proof-of-receipt and signature delivery requirements.  As the CMS noted in its guidance, “requiring a patient signature for receipt of medication could undermine current public health efforts to combat the spread of coronavirus.”

Since then, home deliveries, curbside pickups and contactless transactions have become the preferred methods of prescription transactions, with most signature pads safely tucked away for another day.

When that day will come seems far away, as the pandemic shows no sign of abating and pharmacies focus their efforts on finding increasingly creative ways to prioritize patient and staff safety.

But when pharmacies return to the day when prescription pickups require signatures, pharmacists will be reminded that electronic signatures require compliance with multiple legislative and regulatory requirements, and that when it comes to the law, not all signatures are the same.

As confusing as this may seem, pharmacy managers can be assured that technology providers have kept pace with signature requirements, and that certain systems, including PrimeRx™ from Micro Merchant Systems, offer solutions that are easy to use, ensure seamless storage, facilitate regulatory compliance, and can be portable, for use with handheld devices.

First though, a quick overview of the legislative requirements affecting electronic signatures.

E-Signatures – Legislative History

E-prescribing for non-controlled substances became legal in all 50 states in 2007.  But the 2008 development of what today is known as the “Surescripts  Network Alliance,” a national network that ensures seamless and secure transmission of prescription data, facilitated the process and helped drive its growth.  Today, roughly 80 percent of all prescriptions are transmitted electronically.

But the stage had been set for health-related electronic signature capture years before, with the enactment of three specific pieces of legislation:

• The Electronic Signatures in Global and National Commerce Act (E-SIGN) (2000)
• The Uniform Electronic Transactions Act (UETA) (1999)
• Health Insurance Portability and Accountability Act (HIPAA) (1996).

Following is a brief overview of each:

 Electronic Signatures in Global and National Commerce Act (E-SIGN)

E-SIGN was signed into law in 2000 by President William Clinton.  According to the National Telecommunications and Information Administration (NTIA), E-SIGN essentially established the validity of an electronically signed document, and invalidated prior legislation requiring written documents.

An important tenet of E-SIGN, was the establishment of an official definition of an electronic signature.  According to the law, “the term ‘electronic signature’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”

According to analysis by FindLaw, the law does not mandate use of a particular technology, but instead “allows the parties to select the method of authentication that best suits their needs and security concerns.”

• Uniform Electronic Transactions Act (UETA)

UETA actually preceded E-SIGN, and was adopted by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999.  NCCUSL recommended UETA to the states as model legislation for regulation of electronic transactions and to date, UETA has been adopted by 47 states.  Only New York, Illinois and Washington have not adopted UETA but, according to Thomson Reuters, each has enacted similar laws.

Analysis by DocuSign notes “both UETA and the E-SIGN Act have four major requirements for an electronic signature to be recognized as valid under U.S. law.”  Those requirements include:

1. Intent to sign – Electronic signatures, similar to traditional “wet” signatures, are only valid if each party intended to sign.
2. Consent to do business electronically – Each party to the transaction must consent to do business electronically. As the analysis explains, establishing a consumer’s intent is only possible when the consumer has:
   1. Received a consumer consent disclosure
   2. Affirmatively agreed to use electronic records, and
   3. Not withdrawn such consent.
3. Association of signature with the record – In order to qualify as an electronic signature under ESIGN and UETA, the system used to capture the transaction must keep an associated record that reflects the process by which the signature was created, or generate a textual or graphic statement (which is added to the signed record) proving it was executed with an electronic signature.
4. Record retention – U.S. laws on electronic signatures and electronic transactions require that electronic signature records be capable of retention and accurate reproduction for reference by all parties or persons entitled to retain the contract or record.

While both UETA and E-SIGN apply to contracts and transactions executed across a broad scope of industries, the need for requirements specific to the healthcare industry was addressed through provisions included in the Health Insurance Portability and Accountability Act (HIPAA).

• Health Insurance Portability and Accountability Act (HIPAA)

HIPAA was signed into law  in 1996 by President William Clinton, and according to the HIPAA Journal, a key aim of the original legislation was to improve the portability of health insurance coverage – ensuring employees retained health insurance coverage while between jobs.  The law was subsequently modified to address patient privacy, most notably through enactment of the HIPAA Privacy Rule which became effective in 2003, and the HIPAA Security Rule which took effect in 2005.

A key pillar of HIPAA is the determination of  acceptable uses and allowable disclosures of protected health information (PHI).  With regard to pharmacies, the HIPAA Journal notes that the statute “sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI.  “HIPAA compliance for pharmacies is not an option,” the Journal advises.  “The penalties for failing to comply with HIPAA can be severe.”

Among the law’s pharmacy-related provisions, is the requirement that all patients be provided with a copy of the pharmacy’s “notice of privacy practices,” and for patients to acknowledge receipt of that notice via a signature.  More specifically, the pharmacy must make a “good faith effort” to obtain the patient’s signature, and to document instances in which the patient either refused to sign, or due to extenuating circumstances, was unable to provide a signature.

HIPAA does not explicitly authorize the use of electronic signatures but, according to the HIPAA Journal, the practice is generally allowed, “provided that mechanisms are put in place  to ensure the legality and security of the contract, document, agreement or authorization, and there is no risk to the integrity of PHI.”

More specifically, the Department of Health and Human Services (HHS) website offers the following guidance:  “Currently no standards exist under HIPAA for electronic signatures.  In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable state or other law.”

Despite the absence of statutory language, HIPAA offers guidance for “conditions necessary for e-signatures,” which builds on provisions outlined in E-SIGN and UETA.  Those conditions include:

• Legal compliance: The document, agreement or authorization must not only comply with all provisions of E-SIGN, but must also clearly demonstrate the terms, intent of the signatory, and provide the option for the signatory to receive a printed or emailed copy of the document.
• User authentication. A system must be in place to validate the identity of all transacting parties.  This may include mechanisms such as two-step verification, specialized e-signature software, and answers to “secret” questions.
• Message integrity. A system must be in place to prevent digitally tampering with documents after signing.
• Non-Repudiation. In order to ensure that the signatory cannot deny having signed the agreement, e-signatures used under HPAA rules should have a timestamped audit trail indicated dates, times, location and the chain of custody.
• Ownership and control. In order to ensure the integrity of PHI, all evidence supporting the e-signature should be on the same document under the ownership and control of the covered entity.  All other copies – except those provided for the signatory – should be shredded.

Not surprisingly, the complexity of these three statutes caused a degree of confusion among pharmacy managers and other stakeholders.  Which is why a recommendation offered by FindLaw attorneys seems to make sense:  “There is one safe rule to follow when determining which laws or regulations govern a particular healthcare transaction involving the use of electronic records or signatures:  Closely consider all of them.  Assuming each is consistent with E-SIGN, it is highly likely each will apply.”

Signature “Differentiations”

As pharmacy managers consider implementing a compliant signature collection process, it is necessary to understand the different types of “signatures” that may need to be incorporated.  These  different categories, as defined by the National Council for Prescription Drug Programs (NCPDP), include:

• Wet signature. A wet signature refers to an original signature handwritten in ink on a piece of paper.
• Electronic signature. As the above discussion indicated, the E-SIGN legislation defines an electronic signature as an “electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
• Digital signature. A digital signature is defined as the capture of a wet signature, which is reproduced electronically to create a computer-generated signature.  A digitized signature resembles a wet signature, but rather than being handwritten in ink on paper, is computer-generated.

The NCPDP makes a few distinctions with regard to these different signature categories:

• A digital signature is a type of electronic signature, but not all electronic signatures are digital signatures.
• For electronic prescribing of non-controlled substances, an electronic signature as defined by E-SIGN and/or state boards of pharmacy rules is required.
• For electronic prescribing of controlled substances, more specific digital signature requirements are defined by DEA regulations.
• Wet signatures are not an acceptable authentication method for electronic prescribing. This is because wet signatures can easily be produced by unauthorized individuals, which therefore presents a security risk.
• Digitized signatures are not acceptable authentication methods for electronic prescribing and according to NCPDP, are expressly prohibited by many state boards of pharmacy. As NCPDP notes, “Digitized signatures are typically captured ‘one-time’ and pre-programmed to appear on every printed document where a signature is required – a process similar to a ‘rubber signature stamp.'”

Technology Considerations in Selecting a Pharmacy Electronic Signature Solution

The typical pharmacy manager would not be alone in wondering how to implement an electronic signature program that satisfies these complex requirements.  In fact, there are many pharmacy management systems that offer electronic signature functionality.

But not all have the same functionality, which means a pharmacy manager must take the time to carefully consider the capabilities and attributes of each system.

PrimeRx™ is a good example of a technology solution that is highly responsive to changing pharmacy needs, and continually offers innovative approaches for better, more efficient workflow management.   PrimeRx™ serves as the core processing center, through which key pharmacy management systems and processes are accessed.  But a suite of services, which seamlessly integrate with PrimeRx™, provide access to a wide range of processes and services.

With regard to electronic signature capture, PrimeRx™ capabilities include:

• Seamless integration with Surescripts. Surescripts is the dominate provider of electronic health record management systems, and a vital partner in linking doctors, payers, and pharmacies.  PrimeRx™ interfaces with the Surescripts Network Alliance to ensure seamless transmission of electronic prescriptions and timely, accurate processing of patient information.
• Certification for NCPDP SCRIPT Standard 2017071. E-prescribing took a big step forward in early 2020, when SCRIPT Standard 2017071 became mandatory.  The new standard includes several enhancements to the prior SCRIPT Standard 10.6 including improved digital signature capabilities, to facilitate electronic prescribing of controlled substances.  Micro Merchant Systems was among the first pharmacy systems certified for the new standard, and as a result, PrimeRx™ system users were among the first to benefit from the improved functionality.
• Tablet/iPad capability. No longer  must pharmacy staff be tethered to a point-of-sale electronic signature pad.  Instead, PrimeRx™ allows electronic signature functionality via a tablet or iPad.  This feature is especially helpful for home deliveries, and in managing pharmacy drive-thru windows.
• Records management. PrimeRx™ automatically captures all signatures, and adds them to each patient’s record.  The system allows pharmacy managers to easily retrieve signature logs, which allows for easy compliance with PBM audit requests and internal reporting needs.  In addition, pharmacy staff can have immediate access to patient signature records, and provide requested information upon request, per HIPAA requirements.
• Signature Validation. Consistent with HIPAA requirements, signatures are automatically date/time stamped at point of collection.  Signatures can easily be collected for a wide range of pharmacy purposes including:
  • HIPAA requirements
  • Easy-off cap requests
  • Counseling
  • Third party release authorizations.
• Data encryption/Security. PrimeRx™ offers the highest levels of security, which include encryption of all data, and strict log-in protocols for all system users.
• Ease of use. Perhaps as important as the signature capabilities offered in PrimeRx™, are the user-friendly interfaces that allow pharmacy staff to quickly and easily take advantage of this functionality.  Electronic prescriptions seamlessly arrive in the pharmacy’s workflow, with “flags” raised for those prescriptions requiring a patient signature.  The system automatically tracks those prescriptions, and once a signature is recorded, it is seamlessly added to a patient record, and to the pharmacy’s overall signature log.
• Remote signature capability. The system’s PrimeDELIVERY™ in-house/wireless delivery module includes a new remote signature capability.  Through this feature, a prescription can be delivered to a patient’s residence, even if the patient is not available to sign for the package.  Instead, an advance electronic signature request is sent to the individual, through the PrimeDELIVERY™ module.  The patient then provides an electronic signature that is automatically transmitted back to the pharmacy and uploaded to the patient record.

Patient signatures serve an important purpose, and electronic signature capability facilitates the efficiency of the collection process.  Once pharmacies return to regular protocols, and are again required to capture patient signatures, pharmacy managers will find technology has kept pace, with solutions to ensure fast, accurate and non-intrusive signature collection processes.