Providers try to get used to high-tech signatures
Providers try to get used to high-tech signatures
HIPAA may require digital certificates
Although a concern about electronic signatures has been whether physicians reviewed records that contained their signatures, authentication has become more of an issue now.
"Is it really that doctor who is signing the record? Has the doctor given his or her key to someone else so that the person can sign it and the doctor isn’t looking at it?" asks Diana J.P. McKenzie, a partner with Gordon & Glickson, a Chicago information technology law firm. "How do you know that it’s even an authorized user who is doing it? Those are the issues that surround the electronic signature."
Columbia Presbyterian Medical Center (CPMC) in New York City tackled the problem by requiring physicians to attend a training session and sign an affidavit regarding the use of their electronic signatures. CPMC has a check-off list along with this signature, which verifies that each physician was trained in the use of the electronic signature, confidentiality issues, and the significance of the agreement to be the sole user of his or her ID, PIN, and password.
"Language in the agreement states that [physicians] understand the serious nature of this password and logon, that the logon and password will only be used by them for their patients," says Karen Rosendale, RRA, senior director of health information management at CPMC. "The agreement also says that handing out this [logon and password to other providers] is grounds for disciplinary action up to and including termination."
In addition, the agreement states that physicians agree to read a record before attaching their electronic signature. The design of the system also makes it impossible for physicians to just log on and sign, Rosendale says. "They must scroll through the entire document to be able to sign."
Looking toward HIPAA
Providers may be becoming more comfortable with logon and ID authentication technology at the point of care with electronic medical records, says Blackford Middleton, MD, MPH, MSC, FACP, senior vice president for clinical informatics at MedicaLogic in Hillsboro, OR.
Some confusion remains, however, over what exactly is meant by the term "electronic signature," he says. Does that include digital authentication? "In our world, we allow a person to log on and identify themselves with logon/passwords combinations and then sign those electronically. At this point, we haven’t seen the market requiring us to further stick a digital fingerprint of the document and store that along with the document itself." (To see how electronic signatures are working in a transcription environment, see story, at right.)
CPMC adapts the digital electronic signature format to its needs. To sign a document digitally, the user must have a digital certificate. This consists of a matched pair of public and private encryption keys.
The user needs both to sign documents and have his or her signature verified. When the user signs a document digitally, the software engages the user’s private key to create a digital stamp for that document.
The software uses the matched public key to decode the signature and ensure the contents have not been altered.
Because Congress failed to act on privacy legislation last fall, Middleton expects the Department of Health and Human Services to set the standard for electronic signatures, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This should include the additional requirement of digital certificates, he says. "[A digital certificate] is a significant additional requirement that has to be managed."
To prepare for the possible requirement, pro-viders using electronic medical records need to understand exactly what their vendor is supplying to them, Middleton continues. "There should be some form of electronic signature applied to each piece of data stored in the record."
MedicaLogic offers a security model with roll-based authentication and authorization in the record. "In our case, the person who wrote each piece of data is identified with the time and date in which it was written as well as the final signer of the document. The document is unchangeable medically and legally after that fact," he explains.
Providers also need to be concerned about Internet health records, Middleton adds. "Physi-cians need to be sure that the documents they create using that tool also are signed and inviolate."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.