
State Farm uses payment signature for HIPAA disclosure authorization - luu
https://twitter.com/aphyr/status/1133484519942774784
======
jrockway
I feel like signatures are completely meaningless at this point. Applying a
picture of someone's signature to a document they didn't sign is certainly
shady, and I hope is found to be illegal. But I think we're pretty far gone on
signatures being any sort of authentication mechanism. Already you can
"e-sign" all sorts of legal documents with no verification of your identity
whatsoever. (Meanwhile, one time my bank did check my signature when I was
withdrawing what seems now like a tiny amount of money. They decided it didn't
match, and then I had to submit a new signature sample before I could have my
money. This was after showing them a driver's license, passport, and entering
the PIN on my debit card in front of the clerk. Several years later, different
bank, I wrote a check for $30,000 to a doctor by logging into my bank with an
8 character no-capital-letters-allowed password.)

I feel like the direction that the standard is going is that you are assumed
to have signed something if you benefited from signing that document. So you
can't slip through the cracks by not signing something, it's just assumed that
you signed it now. This fake signature is just an acknowledgement that
signatures are useless. "If we issued you insurance, you signed every form.
Prove otherwise." And my feeling is they will probably prevail in court on
that, because signatures died a long time ago.

~~~
aguyfromnb
> _Already you can "e-sign" all sorts of legal documents with no verification
> of your identity whatsoever._

Well, not really. If you e-sign a document, it's not like there's no traceable
provenance to the signature to establish your identity. To what email were the
documents delivered? What computer/device were they signed from? At what
location were they signed?

Sure, all of those things can be "faked", but they really only matter if the
signature is _disputed_. In this case, that's happened, and it will be quite
easy to prove he didn't sign the documents.

> _This fake signature is just an acknowledgement that signatures are useless_

This is a bit of a reach. Signatures are not meant to be a secure identity
measure. If the story is as explained in the Tweet, it's _fraud_ , and that
fraud can be proven thanks to what was or was not actually signed. The story
doens't end with the insurance company pointing to the signature and saying,
"Look, there it is".

~~~
mattr47
In the US Military a lot of the finance, personnel action and evaluations are
all e-signed. This requires your CAC (I'd card with embedded crypto) and your
PIN. You insert the card into a reader and then type your pin. Document is
then e-signed.

~~~
alasdair_
How does this stop someone from claiming that the displayed document was
different to the one that was “signed”?

~~~
mattr47
The e-sign on the actual document has the date/time and other PII. If it is on
the document, it was signed by you.

------
dzdt
At my pediatrician's office the norm is to sign forms without seeing them at
all. The receptionist has a computer screen; the patient has a signature pad
with no display. They will say "please sign for permission to treat" then
"please sign again for HIPAA approval" and so on. I think you _could_ ask to
see the forms, but it would be breaking the social norms to do so. You would
instantly be a "difficult" patient.

~~~
prepend
My office asked me to sign a blank sheet of forms that the doctor would fill
out after our appointment. When I asked to wait until after the appointment
the receptionist person huffed and said I always signed them this way. When I
pointed out it was my first visit, she looked agitated and argued that it was
not my first visit.

I think she wanted it so she could start prepping my insurance submission. But
it’s sad to me that trying to improve a burdensome administrative system makes
it casual to have patients misrepresent. Similarly to being asked to sign a
form saying I’ve read the medical privacy policy, but not being allowed to see
the policy.

The assumption is that patients will sign anything, which kind of defeats the
purpose of patients signing anything.

~~~
vageli
I have started to write "this form was blank when I was asked to sign" with
the date and my initials diagonally across the page over the fields that would
be later filled.

------
teeray
I had this happen to me at a gym once. They had a promotion where it was a
fixed price for a month of access. I handed over my card, signed on the
payment pad, and walked out the door. When I got home, I found an onerous
contract in my inbox with my signature plastered all over it from that
signature pad agreeing to automatic payments, absurd cancellation
requirements, BS involving my credit, etc. Fortunately, my state had a three
day right of recision, so I was able to instantly nullify it despite their
protests that it must go through the cancellation process.

~~~
o10449366
A few months ago I had the option to sign up for two gyms: One right by my
house for $15 a month, another much farther away for $120 a month. I decided
to go with the more expensive gym, not because any of the facilities were
better, but because the $15 a month gym had a ridiculous number of
stipulations in the contract, a 6 months notice for cancellation, minimum 1
year contract with auto renewal, ambiguous "service fees" and electronic
payment fees, etc. etc. etc. The more expensive gym is month to month, cancel
anytime for no reason at all, no bullshit. Well worth the extra money to not
have to deal with any nonsense.

~~~
hinkley
It’s funny to me that, in a society where we buy takeout to avoid having to
cook, we discount the energy expenditure for the “cheaper” option in so many
other contexts.

And extra $20 bucks and I never have to think about this again? Yes, please.
An extra 40? Okay. I’d have to think hard about $100 though.

------
aphyr
Restating this for folks in the comments who didn't read:

When I applied for a policy, my agent provided me with an electronic signature
pad at payment time. I understood that I was providing my consent to apply for
coverage, and to pay for that policy. I do contract review as a part of my
job, and read legal language carefully before signing.

Just before I left the building, they provided me with a folder full of
informational material--a bunch of ads for state farm services and disability
coverage in general, some policy overviews, etc. I set it on the counter when
I got home, and planned to read it later--work was incredibly busy that week.

It turned out that State Farm had applied my payment signature to additional
forms without my knowledge: a HIPAA authorization form and consent for State
Farm to draw my blood and test it for HIV. I was provided neither verbal nor
written information prior to signing that I was agreeing to either of these
terms. I was not given a chance to review these agreements prior to signing. I
didn't ask to see them, because I didn't know they were even a thing.

State Farm started pulling my health records from my old doctors. One of them
thought it looked sketchy, and called me to confirm. My reaction was something
like "What the fuck". They emailed me a copy of the forms, and that was the
first time I learned I'd "agreed" to disclose my health records. Sure enough,
they were in the folder: buried behind the ads and policy information. If I'd
flipped through the folder in full before walking out the door, I could have
run back in and insisted they cancel the authorization.

I immediately called State Farm, informed them they did not have my consent,
and demanded they destroy any records they'd obtained. They said they'd do
that. I've been waiting for them to confirm they've destroyed those records
since, uh... May, I guess. The folder's still on top of my desk; I've been
meaning to follow up with a HIPAA complaint. Started getting the state
regulatory bodies involved, but haven't finished that process.

I had a detailed conversation with my agent at State Farm where we talked
about the importance of informed consent and presenting people with paperwork
prior to signing. He actually told me that not only was this standard
procedure, but that he didn't actually know how to _get_ a copy of the forms
to show to customers so they could review before signing: the workflow State
Farm designed didn't actually produce forms until the signature was already in
place.

I don't fault my agent specifically for this; I fault State Farm's training
and workflow. My understanding from talking with state regulators is that I'd
have to initiate a complaint specifically against my _agent_ , which is less
than ideal. I like him and I don't want to fuck up his business, and he didn't
understand that contracts require a meeting of the minds. This is, IMO, a
systemic problem requiring better training and software design, and those are
both State Farm _corporate_ issues.

~~~
scohesc
If your agent doesn't know the concept of contracts requiring a meeting of the
minds, why is he an insurance agent?

~~~
crankylinuxuser
Bingo.

As a public service, they should file a grievance against this insurance
agent, and include State Farm as well. Because, if this is true, is forgery
along with various HIPAA violations.

------
martin8412
IANAL, but isn't this straight up fraud? They have copy pasted a signature for
something else onto another contract.

~~~
dboreham
Yes it is. (ianal either).

------
kop316
While I very much agree that how they did it is incredibly shady, the person
applied to long term disability insurance. I correct me if I am wrong, but
isn't it a reasonable thing that an insurance company would want to look at
your medical records as a condition of you signing up for one?

~~~
markus92
That would actually be illegal in a lot of places. Not sure how it would be in
the USA but in most countries in Europe that wouldn't fly.

They would be allowed to ask questions about your medical history, but medical
records themselves are an absolute no go.

~~~
kop316
Playing devil's advocate, why would I as an insurance company want to insure
you if I don't have access to your medical records to verify preexisting
conditions?

I say that because then a person could have a preexisting condition, sign up
for insurance, then go on long term disability due to the preexisting
condition.

~~~
ken
Just because a company has a financial interest in learning a piece of
information doesn't make it legal to acquire that information in any possible
way. Pasting a signature onto a different document sounds like a clear cut
case of fraud.

~~~
kop316
I'm not disagreeing that the method is shady.

I'm saying if I'm the insurance company, why would I offer disability
insurance if I can't verify the existence or absence of a preexisting?
condition

~~~
whatisthiseven
The answer is the insurance company wouldn't. Easy. Why are you asking,
though? Companies shouldn't commit fraud just because they want something.

~~~
kop316
I'm asking because I'm only hearing one side of the story. I have had to
E-sign documents before and they always say the documents are available to
reading, to which I always ask for it. I've never had an issue with that,
especially with insurance companies.

Furthermore, the insurance the person is asking for is disability insurance.
Common sense dictates that they will ask for medical records, and therefore
need a HIPAA disclosure document.

If what the poster alleges it true, I agree wholeheartly that it should have
been more clear in signing up for it, but it seems odd that the poster didn't
think that state farm would ask for medical release forms for disability
insurance.

TL;DR, I think there's more to the story than what is alleged here.

~~~
whatisthiseven
But why not state that rather than question begging? To everyone else, it
seemed you were hammering away at some important point but without any
context.

Honestly, though, so many ads for insurance say you don't need a doctor visit,
or health checkup, or whatever. I could easily see customers getting confused
thinking they wouldn't need to give over health documents because the ads are
deliberately misleading.

Just because a business's practice is obvious to itself and those in the know,
doesn't mean customers can get fleeced because "they should have known
better". Caveat Emptor is kind of bullshit with such high information
asymmetry.

~~~
kop316
I was trying to be nice to the poster.

Being blunt, I think the poster has no idea how insurance works, and didn't
bother to read anything while signing up. Now they are upset because they
actually read it.

Or being less charitable, they did understand the process, and wanted to
create fake outrage about it. You don't have to "be in the know" to get how
insurance works. Nor to understand that an insurance company will want to do
it's fact checking on someone as a condition to insure them.

~~~
qtplatypus
The poster was not presented the forms in order to read. The poster points out
that he read and reviewed everything he was given access to before he signed
it. This was the insurance company not disclosing these terms.

------
coding123
So maybe it's time we push for real private keys held by people and a
signature is a fucking cryptographically proven document.

~~~
chrismeller
Yeah, but who issues those? The government is the obvious answer, blah blah
blah Estonia blah blah, but that causes so many other issues... we already
have debates over states issuing drivers licenses to “illegals” and “big
brother” etc., so I don’t see this idea going over well.

At the end of the day it would require that the US government issue an ID to
every citizen, green card holder, visa applicant, long term visa holder, etc.,
illegals be damned...

Even if that somehow happened, we now have the single largest hacking target
in the world... are you comfortable with that? I’m sure not.

~~~
tomjen3
No we don't. Have the government HSM sign a separate key for each state for
each month. Have each state HSM sign a separate key for each county for each
month. Have each county HSM sign a separate key for each DMV, housing
association or whatever, also only valid for a month.

No big hacking target because they keys can be locked up or reverted pretty
easily and the HSM are on military bases or whatever.

~~~
chrismeller
I think that is remarkably ignorant. Yes, it works the same way the Chain of
Trust does in your browser, but it also means that, at least for <insert time
period>, there is a single point of failure.

Hardware keys being on military bases doesn’t really fix that, the weak link
is still a crappy government server.

You also skipped over all the hurdles of recognizing a “person” that we will
issue to anyway. Sure, we could ignore that... but then Montana doesn’t
recognize signatures from Oregon.

~~~
dwild
I think you completely lost the context of the conversation, we are talking
about improving signatures.

Everything you said against using private keys, apply to physical signatures.

Sure hacks will surely happens, but they already do happens with signature. At
least now you'll get much more traceability and be able to invalidate what
needs to be.

> You also skipped over all the hurdles of recognizing a “person” that we will
> issue to anyway. Sure, we could ignore that... but then Montana doesn’t
> recognize signatures from Oregon.

Recognizing what? You are the only one here talking about this being a proof
of citizenship. Does your physical signature prove that you are a US citizen?
Does it need to? I certainly hope not.

For each subsequent argument, please just ask yourself whether this issue
apply to physical signature too in a way first.

------
cnst
More context: further tweet explains that this was all after he signed on a
signature pad. E.g., it's not some sort of conspiracy against him, but what
appears to be a "normal business practice", as sad as it is.

I think those signature pads are beyond creepy, especially with the way that
they're being run by all these companies, where the order in which they give
you the documents for examination and the order in which you actually sign
them are basically reversed. I've dealt with a few of those pads myself (I
think it was at a local municipality and a bank), prompting me to:

[https://law.stackexchange.com/questions/2148/if-you-sign-
a-s...](https://law.stackexchange.com/questions/2148/if-you-sign-a-signature-
pad-without-seeing-what-its-for-is-it-binding)

------
salawat
This problem is one of the aspects of IT as utilized by the business world
that I straight up abhor. Never before in the history of mankind has the
bureaucracy taken primacy over getting stuff done.

Unfortunately, we seem to have scaled way outside of the capacity for the
typical act of contract signing to be anything but fraught with danger. At
this point, If I don't have someone to talk with authorized to make and act on
contractual amendments in the room, I'm reluctant to sign anything. Hell, even
if they are there, I have doubts any amendments would actually be honored
given the difficulty and scale of assumptions built into most forms of
business automation systems.

There has to be a way to get things back on track, but I'm clueless on where
to start. Legislation? Public Awareness? Education? What?

------
ginko
Would have been nice if they said what State Farm was. A Wikipedia search led
me to this article about state owned farms in the Soviet Union:
[https://en.wikipedia.org/wiki/Sovkhoz](https://en.wikipedia.org/wiki/Sovkhoz)

Doing some more searching it seems to be an insurance company in the US.

~~~
franciscop
It's linked in the tweet:

[https://twitter.com/StateFarm](https://twitter.com/StateFarm)

[https://www.statefarm.com/](https://www.statefarm.com/)

------
quantified
I can imagine breaches of e-signature images being used in various ways.
Another piece of personal info to consider.

------
jobseeker990
I wonder why no one has tried to build an AI around TOS and other contracts.
It could be trained on 1000s of documents and learn what clauses people want
to be made aware of, and/or provide a score from 0-10 on how bad it would be
to sign it.

To head off the objections: no, it would never be perfect. Yes, there is some
risk. But it could be way better for 99% of the population that doesn't read
anything they sign.

~~~
Supermancho
AI isnt a solution to turing problems.

------
jrochkind1
this can't be legal, right?

~~~
sneak
Everything is legal until someone with authority says it isn't. The way the US
system is set up, unless someone has violated criminal law and you can
interest a government prosecuting attorney to take interest in the case, you
have to hire and pay a lawyer out of your own pocket to threaten/bring a civil
case. Most people do not have a civil lawyer on hand, and the costs for even
beginning such a thing easily run into the thousands of dollars. Carrying
something through to completion can be $20-50k in the best of cases.

There is a tremendous power imbalance between private people and large
corporations with civil lawyers on staff.

------
numblok
Not a lawyer but seems like perjury to me.

~~~
QuinnyPig
Forgery.

~~~
numblok
and that's why I'm not a lawyer.

------
exabrial
Imagine signing in the hacker news with only a username and no password...
That's what credit card numbers are. Passwords / pins aren't even a good
solution either: some sort of pki/cryptographic signatures are.

------
glofish
As always it is all about intent. Did the OP agree to have his information
disclosed in return to getting disability insurance?

If they did then there is no problem here.

It seems that people are getting hung up on the wrong issue. Filling in and
signing endless pieces of paper at the doctor's office is the most annoying
experience. I wish my signature was applied directly.

Of course, I would like to be informed of what I agree to in simple brief
terms. Putting massive documents in front of me that will sign automatically
anyway makes no difference.

~~~
ldoughty
The first few bullet points scream "you authorize SF to get your medical
information and history". This is an application for long term disability, so
they are trying to prove he's medically disabled by getting documentation from
an authoritative source, which could only be accomplished by going to the
doctors offices and insurers directly.

Isn't this basically power of attorney? He signed a form that explicitly
stated he authorized SF can get his medical information (along other things).
What's the purpose of such a form except to NOT go back to him to sign 12
documents from different companies to release info one by one?

~~~
endogui
Well, here he is claiming they didn't sign that document at all: the signature
was copied from elsewhere.

~~~
ldoughty
My interpretation was that this document was what he signed, since his tweet
talked about his signature being on a form authorizing more specific things

