Electronic Signatures (e-signatures) include any method or intent of signing an electronic form and could include a digitized image of a signature, a biometric identifier, a digit voice recording, a secret code or PIN, an “I Agree” button, or a digital ID.(1,2)
When an e-signature is marked on a document, the user is attesting to being the author and indicating that they are responsible for the information contained in that document.(1) Electronic Health Record Systems (EHRs) should have a built in authentication process for verifying the author’s identify and authorizing access.(1) As healthcare moves toward using clinical information systems (CIS) that store, create, use, and release electronic documents it is critical that organizations develop signature standards to ensure patient data security and privacy.
- Purpose of Signatures
- Signature Types
- Rubber stamp signatures
- Law and Regulations of e-Signatures
- Systems in EHRs
The purpose of all signatures is to ensure ==intent==, ==integrity==, and ==identity==. ==Intent== means that the individual signing the document approves the terms and written content.(1) Signatures ensure ==integrity== whereby the signature protects the form’s content from being altered by another, and ==identity== is simply that the signature identifies the person signing the form.(1)
- Analog: When signatures are on paper; Centers for Medicare and Medicaid Service (CMS) requires, at a minimum, a name and discipline. If healthcare organizations want to enforce stricter standards for their healthcare professionals to follow they can.1,2
- Digitized: A signature stored on an electronic media device, usually an image of a handwritten signature. The image of the signature might be scanned, copied, or photographed, and saved for use at a later time. This is the weakest form of e-signing because an individual could access and use another’s handwritten signature to forge a document.(1,2)
- Electronic Signature: The general term for multiple ways that an electronic document can be signed and might include: a digitized image of a signature, a biometric identifier, a secret code or PIN, clicking of an “I Agree” button, or a digital signature.1 Buttons, pins, and tokens should be strengthened with an actual digital signature or require unique logins. The Electronic Signatures in Global National Commerce Act was passed in 2000 and gave e-signatures the same authority as handwritten signatures.(1,2)
- Rubber Stamps: Are allowed by state and federal laws, however individual healthcare organizations should clearly state if stamps are acceptable at their organization. If a healthcare organization does allow stamps then they should maintain a list of signatures for cross-referencing.(2)
Law and Regulations for e-Signatures
Electronic in Global and National Commerce Act (E-SIGN) was passed by Congress in 2000 to help standardized e-signature regulations.(3) In essence, the law allows for e-signatures to hold the same authority as a handwritten signature on any statue, regulation, or other rule of law.3 E-SIGN also outlines ways for storing and retaining electronic documents. E-SIGN defines an electronic signature as “means an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”(3) E-SIGN allows organizations to choose the technology and software that best supports their needs. Lastly, E-SIGN permits states to pass their own more stringent laws which might “modify, limit or supercede” E-SIGN.(3)
Initially, E-SIGN was promoted by technology and Internet companies, meaning that the complexities in healthcare such as insurance, disclosure of health information, patient rights, ordering of prescriptions, and physicians working remotely are not fully addressed in the E-SIGN act.(3,4) For healthcare organizations it is recommended that someone in authority be familiar with e-signature laws as covered in E-SIGN, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Uniform Electronic Transactions Act (UETA) in order to ensure that compliant EHR software is purchased and used.
HIPAA requires that the software for e-signatures ensures: “message integrity, nonrepudiation, and user authentication”.(3) E-signature integrity is especially of importance to healthcare because it encourages healthcare’s larger goal of interoperability, secure transfer of patient health information (PHI), and independent verifiability to be reached.
UETA is fairly similar to E-SIGN in that it given e-signatures the same authority as handwritten signatures. However, healthcare organizations might be more interested in following UETA over E-SIGN because it helps meet the more stringent laws of HIPPA by further requiring attributes such as the “time when messages are sent or received, errors in electronic contracting, and attribution of electronic signatures.”(3)
Healthcare organizations need to be knowledgeable of e-signature laws so that standards for their organizations can be agreed on and enforced. While there is no single standard at this time for e-signatures, there are some standards available that organizations are encouraged to follow including: HL7, ASTM International, ISO/IEC, and Certification Commission for Healthcare Information Technology.1,2 As defined by HL7, a legal authenticated document is “a status in which a document or entry has been signed manually or electronically by the individual who is legally responsible for that document or entry.”(2)
Whichever e-signature standard an organization adopts it is important to be consistent, and ensure that the standard “links content to the authors, identifies all authors, displays names and credentials, identifies the author’s frequency, ensures integrity, is able to handle multiple signatures, and includes time stamps”.1 The healthcare organization should ensure that the full name of the author is printed with a date, time and a signature statement such as: "Electronically signed by…."(1)
E-signature standards should be developed to guide a user through the following different circumstances that may be encountered:(2)
- Multiple signers
- A document missing a signature and the author of the document is not available
- Auto-attestation (when the author must attest to the accuracy of what is entered)
- Batch signing (when one individual’s signature is added to multiple documents at once)
- Preliminary entries
- Amendments, corrections, deletions made to EHR documents
- Storage and retention of e-signatures
- Development and use of passwords
- Policies for inappropriate use or sharing of signatures and passwords
- When audits are to happen and by whom to ensure the standards are being followed
- Photocopies, printing, and faxing of signed documents
Basic e-Signature Software Program Characteristics
In the EHR the software program should allow for message integrity and nonrepudiation. Message integrity would assure when a message is sent by a user, and nonrepudiation tracks when an author sent a particular message so that it would be difficult for the author to deny having created the content.(2)
The software system should be able to tell the difference between when someone is the author of the content vs. just an individual entering data.(2) For example, sometimes a nurse or medical assistant might be filling out a form with a patient, however the form may require a signature by a licensed MD/PA/DO/NP, the EHR system should be able to differentiate between the person who entered the data and the author of the document.
Once signed, the EHR system should be able to date and time stamp each entry, this should also allow for late entries to be tracked.(2) In addition, when an additional entry has been made to a pre-existing document, the date-time-author must be stamped to acknowledge that an adjustment was made. Lastly, the EHR system and software product must protect against manipulation and apply administrative safeguards.(5)
- AHIMA e-HIM workgroup: Best practices for electronic signature and attestation. "Electronic Signature, Attestation, and Authorship (Updated)." Journal of AHIMA. 2009;80(11).
- AHIMA e-HIM work group on maintaining the legal EHR. Update: maintaining a legally sound health record—paper and electronic. Journal of AHIMA. 2005;76(10):64A-L.
- Ingersoll, B. Electronic records and signatures in healthcare and the interplay of E-SIGN, HIPAA and UETA. 2008 [cited 2014 Oct 25]. Available from: http://corporate.findlaw.com/business-operations/electronic-records-and-signatures-in-healthcare-and-the-interplay.html
- E-SIGN: What awaits the healthcare industry? McDermott Will & Emery. 2000 [cited 2014 Oct 25]. Available from: http://www.mwe.com/publications/uniEntity.aspx?xpST=PublicationDetail&pub=5469
- Comply with medical signature requirements. Department of Health and Human Services Centers for Medicare & Medicaid Services. 2013 [cited 2014 Oct 25]. Available from: http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/downloads/Signature_Requirements_Fact_Sheet_ICN905364.pdf