Digital signature technology can bolster health care data security

Digital signature technology, common in legal and financial firms, is catching on in health care data security. Learn how digital signatures help providers and what is required to implement them.

The movement to build a health IT infrastructure whose goal is to improve patient care is opening up new opportunities for the use of digital signatures. This technology can improve health care data security and can be wired into an electronic workflow, as well as into systems for physician order entry and e-prescribing; and patient admission, discharge and transfer.

Hospital accreditors, such as the Joint Commission and the American Osteopathic Association, recognize e-signatures as equivalent to signatures on paper. Considering the reports (those for safety and quality practices alone use copious amounts of paper) that come with accreditation -- not to mention the policies, training documents and disaster planning materials -- digital signatures can reduce significantly the amount of paper hospitals have to store when they integrate the technology into accreditation standards compliance programs.

E-signatures solve more than just the problems of storing paper. "We know that our electronic health records [EHR] systems provide the ability for us to sign entries electronically," said Jan Hecht, an assistant professor at Eastern Kentucky University in Richmond, Ky., who teaches courses in the field of health services administration. "We're hoping that by using electronic signatures, we can really tackle some of the issues with legibility and the timeliness of authentication."

Hecht and Kerry Costa, a management consultant for Dell Inc.'s Healthcare Services, spoke in a May 11 webinar on behalf of the American Health Information Management Association, and offered tips for evaluating and implementing digital signature technology in a health care setting.

How different levels of e-signatures affect health care data security

There are three levels of e-signatures, Hecht explained:

• Level 1 is literally a digitized signature. This electronic representation of a person's handwritten signature provides the lowest level of security and is similar to the credit card signatures that many retail stores collect via signature pads.

• Level 2 is a biometric scan, PIN or token. These "signatures" provide midlevel security.

• Level 3 is a digital certificate that provides a tamperproof seal that breaks when a message is altered.

It's important that, before it implements digital signature technology, the company understand how e-signatures work in each of its facility's systems -- most importantly, the EHR and e-prescribing systems. Companies need to develop policies and procedures around these systems to address health care data security, as well as regulatory compliance, Hecht said.

We're hoping that, by using electronic signatures, we can really tackle some of the issues with legibility and the timeliness of authentication.

Jan Hecht, assistant professor, Eastern Kentucky University

That might not be as simple as it seems, however. Health care environments include physician assistants and nurse practitioners, who deliver prescriptions to patients as proxies for the physician; and emergency rooms and intensive care units often involve numerous staff members in a patient's care, especially during high-pressure situations. As a result,  Dell's Costa said, facilities probably will have to develop e-signature policies for these scenarios:

• Multiple and dual signatures, and countersignatures.
• Entries made on behalf of others.
• Signatures by proxy.
• Batch signings.

Finally, e-signature systems will have to accommodate physician scribes, who act for physicians who just can't get the hang of a new EHR system but still have to use it anyway, Costa said.

Writing these policies before implementing digital signature technology can help sort out the other complicated situations that can show up in a patient health record. Consider the care a patient receives while a doctor is on sabbatical or leave -- one scenario where planning digital signature policies helps accommodate health care-specific needs. A physician typically signs the record and attests that it is true, but when a substitute physician administers care, the system needs to let the regular physician sign on behalf of the substitute within the patient record, Costa noted.

Along those same lines, it pays to avoid auto-attestation, the process by which a physician attests all his entries upon sign-in, Costa said. Both the Uniform Electronic Transactions Act (UETA), which is law in 47 U.S. states, and Medicare Conditions of Participation, which controls reimbursement, require a signer to take a specific action to attest and verify each entry. For good reason, too: Auto-attestation gives a physician the opportunity to approve orders that did not get transcribed properly, do not display or were not reviewed previously.

Regulations for digital signature technology in health care

Health IT leaders should note that the proposed Drug Enforcement Administration's latest e-prescribing proposed regulation mandates Level 2 authentication in the form of a biometric or retinal scan. That brings up an additional step that should be taken before any purchasing decision is made: Check state regulations regarding e-prescribing, as well as digital signatures in general, Hecht said. The states of Illinois, New York and Washington, which have not signed on to UETA, vary in what they require.

If a facility mandates compliance with the ISO 14888, ASTM EI 762-94 and Certification Commission for Healthcare Information Technology digital signature standards, doctors should check into them, Costa said. In addition, any facility reviewing its own enterprise protocols for digital signatures or embarking on a new implementation might want to read those standards, too, for guidance and best practices information.

Lastly, before doctors sign on the dotted line for the purchase of new digital signature technology, they should check with payers and with Medicare's signature guidelines, to make sure those organizations accept e-signatures on claims generated by the system, Costasaid.

Let us know what you think about the story; email Don Fluckinger, Features Writer.

This was first published in June 2010

Dig deeper on Electronic health records security compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close