MSU HRPP Manual Section 6-4-H
Electronic Signature
Electronic Signature
Use of electronic methods to capture the signature of the person signing the informed consent document is permitted if such signatures are legally valid within the jurisdiction where the research is to be conducted. If electronic methods are used, a copy of the informed consent must still be provided to the person signing the consent form. See HRPP Manual 6-4-G “Electronic Consent” for requirements regarding use of electronic consent.
Researchers should be aware that while the Institutional Review Board (IRB) may find that electronic signature is permissible, if the study involves U.S. Health Insurance Portability and Accountability Act (HIPAA) or Family Educational Rights and Privacy Act (FERPA), the covered entity or the educational institution may prohibit use of electronic signature.
MSU’s Office of the General Counsel will be consulted as needed if questions arise regarding legal requirements for electronic signature.
Uniform Electronic Transactions Act
In Michigan, the Uniform Electronic Transactions Act (Act 305 of 2000) authorizes and provides the terms and conditions under which information and signatures can be transmitted, received, and stored by electronic means. Electronic means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities. Electronic signature means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.
If research is conducted in Michigan, electronic signatures would be considered legally valid if such signatures complied with the Uniform Electronic Transactions Act. Most other States in the United States have also adopted the Uniform Electronic Transactions Act. If the research takes place in another state or country, that jurisdiction’s requirements for what constitutes a legally valid signature would apply. The MSU Office of the General Counsel may be consulted as needed.
Under the Uniform Transactions Act, an electronic signature must be attributable to a person. The electronic signature is attributable if it is the act of the person signing the consent. The act of the person signing the consent may be shown in any manner, including a showing of efficacy of any security procedure applied to determine the person to which the electronic signature was attributable. The effect of the electronic record attributed to the person signing the consent is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including any agreements of the parties, and otherwise provided by law.
Family Educational Rights and Privacy Act (FERPA)
If the study is subject to FERPA, the educational institution’s requirements for electronic signature would apply.
U.S. Health Insurance Portability and Accountability Act (HIPAA)
If the study is subject to HIPAA, HIPAA authorizations may be obtained electronically, provided that the signature of the subject (or the subject’s personal representative) is a valid electronic signature under applicable laws and regulations. The Electronic Signatures in Global and National Commerce Act (E-Sign Act) (Public Law 106-229) addresses what constitutes a valid electronic signature and provides that a signature may not be denied legal effect because it is in electronic form.
If the study is subject to the HIPAA, the covered entity’s requirements for electronic signature would apply to signed HIPAA authorizations.
U.S. Food and Drug Administration
If the study is regulated by the U.S. Food and Drug Administration, the use of electronic signature must also meet the requirements under 21 CFR 11. In order to be considered equivalent to full handwritten signatures, electronic signatures must comply with all applicable requirements under 21 CFR part 11. The electronic system must also capture and record the date that the person signed the consent document.
Methods to Create Electronic Signatures
The regulations found at 21 CFR part 11 permit a wide variety of methods to create electronic signatures, including using computer-readable ID cards, biometrics, digital signatures, and user name and password combinations. The FDA does not mandate or specify any particular methods for electronic signatures, including any particular biometric method upon which an electronic signature may be based.
Electronic signatures based on biometrics must be designed to ensure that they cannot be used by anyone other than their genuine owners (21 CFR 11.200(b)). Therefore, suitable biometrics should be uniquely identified with the individual and should not change with time. In addition, electronic signatures based upon biometrics are accepted provided they meet the requirements found in 21 CFR part 11 (i.e., they must contain pertinent information associated with the signing (see 21 CFR 11.50(a)); they are subject to the same controls as electronic records and must be included as part of any human readable form of the electronic record (see 21 CFR 11.50(b)); and they must be linked to their respective electronic records (see 21 CFR 11.70).
Identity Verification
21 CFR part 11 requires that an organization verify the identity of an individual before it establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature or any element of such electronic signature (see 21 CFR 11.100(b)).
FDA regulations do not specify any particular method for verifying the identity of an individual and accepts many different methods. For example, verifying someone’s identity can be done by using information from some form of official identification, such as a birth certificate, government-issued passport, or a driver’s license. In addition, use of security questions to confirm an individual’s identity can also be considered.
Depending on the method of identity verification used to satisfy the regulations in 21 CFR part 11 for electronic signatures in FDA-regulated clinical investigations, a child may lack the documentation necessary to verify their identity for the purposes of preventing fraudulent use of electronic signatures (e.g., driver’s license). If so, depending on the clinical investigation, it may be reasonable for the parent to initially document the child’s assent, which can then be verified when the investigator first sees the child.
Compliance with 21 CFR 11
It is the responsibility of the investigator and/or sponsor to assure that all requirements in 21 CFR 11 are met. IRBs, investigators, and sponsors may rely on a statement from the vendor of the electronic system used for obtaining the electronic signature that describes how the signature is created and that the system meets the relevant requirements contained in 21 CFR part 11.
See 21 CFR 11 for full requirements.
Electronic Copy of Consent Form
Unless the IRB waives the requirement for the investigator to obtain a signed consent or permission form, a copy must be given to the person signing the informed consent form. The copy provided to the subject can be paper or electronic and may be provided on an electronic storage device or via email.
If the copy provided includes one or more hyperlinks to information on the Internet, the hyperlinks should be maintained and information should be accessible until study completion. Note that if the electronic informed consent uses hyperlinks or other Web sites or podcasts to convey information specifically related to the research, the information in these hyperlinks should be included in any printed paper copy, if one is provided.
Uniform Electronic Transactions Act
If a law requires a person to provide, send, or deliver information in writing to another person, the requirement is satisfied if the information is provided, sent, or delivered in an electronic record capable of retention by the recipient at the time of receipt. An electronic record is not capable of retention by the recipient if the sender or its information processing system inhibits the ability of the recipient to print or store the electronic record.
HIPAA
The HIPAA Privacy Rule requires that when a covered entity seeks an authorization from a subject (or a subject’s personal representative), the covered entity must provide the individual with a copy of the signed authorization; this requirement also applies where a HIPAA authorization is obtained electronically.
FDA
Although FDA regulations do not require that the subject’s copy include a signature, FDA recommends that a copy of the signed informed consent form that includes the date when the electronic informed consent was signed be provided to the subject.
IRB Considerations
In the process of evaluating use of an electronic signature, the IRB considers the following:
- Requirements to determine whether signatures are legally valid within the jurisdiction where the research is to be conducted
- How the electronic signature is being created
- If the signature can be shown to be legitimate
- If the signature can be shown to be attributable to the subject
- If consent or permission document can be produced in hard copy for review by the potential subject upon request
- If the study involves children, whether and how assent will be documented
- How the electronic system is secure with restricted access
- Methods to ensure confidentiality of the subject’s identity, study participation, and personal information
- If the study is regulated by the FDA:
- Confirmation that the electronic signature will meet the requirements of 21 CFR 11
- How the identity of the person who will be electronically signing will be verified
- If the study involves children, how the identity of the child will be verified
This policy and procedure supersedes those previously drafted.
Approved By: Vice President for Research and Innovation, 4-14-2023