Agencies | Governor
Virginia Regulatory Town Hall

Emergency Text


Signature Requirement for Medical Records
Stage: Emergency/NOIRA

12VAC30-50-95. Reimbursement of services; in general.

A. The provision of the following medically necessary services cannot be reimbursed except when they are ordered or prescribed, and directed or performed within the scope of the license of a practitioner of the healing arts: laboratory and x-ray services, family planning services, and home health services. Physical therapy services will be reimbursed only when prescribed by a physician. Inpatient acute hospitalizations will be reimbursed only if the stay has been authorized.

B. The documentation requirements set forth in the regulations or guidance documents of the Department of Medical Assistance Services (DMAS) for the signing and dating of medical records by health care providers shall be a mandatory condition of Medicaid reimbursement. The requirements of this section apply equally to both handwritten and electronic documents and signatures. 

 1. Definitions

a. "Attestation statement" means a signed and dated statement created by the author of a medical record entry that contains sufficient information to identify both the provider and the recipient of the services being validated by the attestation statement. Attestation statements shall be accessible at the provider's place of business and provided to DMAS within 24 hours of request.

b. "Electronic signature" means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by an individual health care provider with the intent to sign the record, and which meets the standards of Code of Virginia § 59.1-491 concerning the admissibility of an electronic signature as evidence.

c. "Medical record" means the documentation of the healthcare services provided to an individual in any aspect of healthcare delivery by a healthcare provider. A medical record is individually identifiable data, in any medium, collected and directly used in documenting healthcare or health status. The term includes records of care in any health-related setting used by healthcare professionals while providing patient care services, for reviewing patient data, or documenting observations, actions, or instructions. This term also includes any other healthcare related document subject to signature and date requirements as referenced in Agency guidance documents and regulations

d. "Signature Log" means a typed or otherwise legible listing of providers, either as an individual log or a group log that identifies each individual provider's name with a corresponding handwritten signature. A signature log may be used to establish signature identity as needed throughout medical records. Signature logs shall be accessible at the provider's place of business and provided to DMAS within 24 hours of request.

2. Signature requirements

a. Both handwritten and electronic signatures shall, at minimum, meet the following requirements:

i. The signature shall include the first and last name, or the legal name, and any applicable title, such as M.D., R.N., etc. of the individual health care provider who authored the medical record being signed;

ii. Shall include a notation regarding the purpose (such as review, approval, supervise, responsibility, or authorship) associated with the signature;

iii. Where a signature is required to document a service provided, the signature shall be positioned within the document so as to be logically and distinctly associated with the documented service; for example, for inpatient hospital certifications or recertifications under 42CFR§456.60, the individual provider certifying or re-certifying the patient's need for inpatient services shall sign the certification or recertification statement so that it is clearly and logically identifiable as such a statement, distinct from other signatures within the same document, such as those associated with patient progress notes; and

iv. The medical record shall be signed and dated on the date the service was provided. The date shall include the month, day and year. In addition, associated with the signature shall be the time the service was provided, where this practice is the industry standard or as otherwise required by Agency guidance documents.  

b. Handwritten signatures

i. The signature shall be clearly legible, as determined by DMAS. If the original record contains the printed name of the author of the medical record below the illegible signature, this constitutes a legible signature. If DMAS determines a signature to be illegible, the provider may submit a signature log or attestation statement, as those terms are defined herein, to support the validity of the illegible signature.

c. Electronic signatures

i. Signed electronic medical records shall contain the information associated with the signature as indicated in subsection (B)(2)(a) of this regulation.

ii. Linking: Electronic signatures and handwritten signatures executed to electronic medical records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

iii. Electronic signatures shall be subject to the additional requirements found in 12VAC 30-50-96.

3. For personal care and respite services, weekly medical records shall be signed in accordance with 12VAC30-120-935.

4. Where DMAS regulations or guidance documents require the signature of a supervising health care provider, the signature of the supervising health care provider shall meet all the requirements of this regulatory section. The supervising health care provider shall sign and date the medical record within 24 hours of the date of the service, as indicated in the documentation. 

5. Signature logs and attestation statements shall meet the following requirements:

i. All signature logs or attestation statements shall be updated for every new individual health care provider,

ii. All signature logs or attestation statements shall be created prior to the provision of services by the individual health care provider whose signature is described in the signature log or attestation statement.




12VAC30-50-96. Electronic signatures.

A. Scope: The regulations in this section set forth the criteria under which the Department of Medical Assistance Services (DMAS) considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. Notwithstanding its acceptance of electronic signatures, DMAS requires provider enrollment applications to be signed by hand. In addition to meeting the requirements set out in 12VAC30-50-95, electronic signatures shall be subject to the requirements below.

B. General requirements

1. Each electronic signature shall be unique to one individual health care provider and shall not be reused by, or reassigned to, anyone else.

2. Before a provider establishes, assigns, certifies, or otherwise relies upon an individual health care provider's electronic signature, or any element of such electronic signature, the provider shall verify the identity of the individual signer.

3. Providers using electronic signatures shall, upon DMAS request, certify that all electronic signatures in their system are intended to be the legally binding equivalent of traditional handwritten signatures.

4. Providers using electronic signatures shall, upon DMAS request, provide additional certification or attestation that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.

C. Controls for electronic signature systems.

1. Providers who create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.

2. Such procedures and controls shall include the following:

a. Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

b. The ability to generate accurate and complete copies of records in readable form suitable for inspection, review, and copying by DMAS.

c. Protection of records to enable their accurate and ready retrieval throughout the DMAS-required records retention period.

d. Limiting system access to authorized individuals.

e. Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

f. Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

g. Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience with the electronic system to perform their assigned tasks.

h. The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

i. Use of appropriate controls over systems documentation including adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

D. Controls for identification codes or passwords.

Persons who use electronic signatures based upon the use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

1. Maintaining the uniqueness of each combined identification code and password, such that no two individual health care providers have the same combination of identification code and password.

2. Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

3. Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

4. Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

5. Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.