Cyber signatures arrive, but are they a good idea?
Cyber signatures arrive, but are they a good idea?
Experts question safety features
Despite the new federal law that goes into effect Oct. 1 giving electronic signatures the same legal status as old-fashioned John Hancocks scratched out on paper, some experts question if a physician’s cyber signature will meet the security requirements needed for health-related electronic claims and records.
"One of the problems with the law is that it has very low security standards making it relatively easy to challenge electronic signatures," says Kepa Zubeldia, MD, vice president of technology at Envoy Corporation, a Nashville, TN-based medical claims clearinghouse. "The new law makes electronic signatures legally valid nationwide. However, the related security standards are lower than generally required for health care transactions."
As a result of those concerns, many experts are advising physicians to wait until the Department of Health and Human Services (HHS) implements the complete set of final rules required by Health Insurance Portability and Accountability Act (HIPAA) governing the standardization and privacy of electronic health data and claim transmissions before using on-line electronic signatures (see related story, p. 153).
However, if you do decide to start using electronic signatures in your practice, e-health experts point out that providers are required by law to adhere to the cryptographically based digital electronic signature standard set by HHS for any HIPAA-covered transaction.
Sacramento, CA-based Sutter Medical Group, for instance, hopes to start using digital signatures by the end of the year, allowing its doctors to electronically sign orders and X-ray readings, communicate with each other, and access patient data from home, says John M. Whitelaw Jr., MD, CEO of the 175-physician multispecialty group. That should save time by reducing paperwork and eliminating the constant rounds of phone tag providers and other employees must endure before finally making contact with each other.
HHS’s proposed standard
While the terms "digital signature" and "electronic signature" are often used interchangeably, they are different things, say e-health mavens. A digital signature is basically a document tightly bound to a "hash" mark, which is a unique number or fingerprint.
An electronic signature, however, can be an electronic sound, symbol, or process associated with a record and executed by a person with the intent of signing the record. It could be anything, including a digital signature, an X, or simply a name typed at the bottom of an e-mail.
Here’s what HHS has proposed for its digital signature standard and the three mandatory technical features or technologies it says must
be incorporated into it:
• Nonrepudiation — blocks a sender’s false denial that he or she signed a particular message, allowing the recipient to easily prove that the sender actually did sign the document.
• User authentication — verifies the signer’s identity at the time the electronic signature is generated.
• Message integrity — not only binds a signature to a document, but also shows the document had not been altered after the signature had been affixed. If the document is altered, then the signature is invalidated.
Despite the fact those technical features are not specifically required by the electronic signature law, physicians and their patients could face considerable risks if their electronic signatures for contracts, patient forms, and other electronic documents lack those features, says Zubeldia.
"If you and I agreed to enter into a contract by entering our names at the bottom of an electronic mail, and three months later I deny that I signed it, you have to prove that I signed it, which is also impossible," he notes.
Before you can digitally sign a document, both you and the other person involved in the electronic transactions need to acquire digital certificates issued by special Internet security firms known as certification authorities. Then, you must download them into your computer or special equipment attached to it.
Most of those certification authorities charge a fee for a digital certificate. However, the Chicago-based American Medical Association and the computer chip manufacturer Intel will provide certificates at no cost to physicians, says the North Carolina Healthcare Information and Communications Alliance, a Research Triangle Park, NC, nonprofit organization dedicated to advancing electronic communications in health care.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.