May 25, 2009

Digital Signatures Come of Age
By Alice Shepherd
For The Record
Vol. 21 No. 11 P. 6

Electronic medical records (EMRs) have once again become a popular topic of discussion, thanks in large part to the Obama administration’s push to modernize healthcare through a far-reaching incentive plan. One important component of EMRs is the e-signature, regarded as the equivalent of its traditional, handwritten counterpart. Digital signatures are a specific type of e-signature solution that can further reduce costs and create efficiencies across the entire healthcare organization—from front to back office.

To understand digital signature technology, it is first important to understand the distinction between a digital signature and the more commonly used expression, e-signature. The term “e-signature” includes a wide range of options. For example, a name typed at the end of an e-mail is considered an electronic signature. An e-signature can also be a signature that is scanned into an image and then embedded in an electronic document. But there are inherent problems with nonstandard electronic-signature technology in that it can be difficult to prove both the signer’s authenticity and that nothing was changed after the signature was affixed.

A digital signature, however, is a specific technology known as public key infrastructure (PKI)—the only standard for e-signatures. PKI guarantees the signer’s identity with the identification embedded in the signed document. The signer cannot disclaim or “repudiate” the signature, and if the signed data are changed, the signature becomes invalid.

With digital signature technology, a signer is issued an identification certificate and two keys, one private and one public. The signer uses the private key to sign a document, providing the document with a unique fingerprint. Third parties can then use the public key to verify the signer’s identity and the signed data’s integrity. PKI enables individuals to sign electronic documents in Microsoft and Adobe programs, among other applications. It also allows electronic data in database applications, printable output, and Web forms to be signed.

While PKI was traditionally cumbersome and expensive to deploy, organizations interested in using digital signature technology can now choose among several options. They can still select self-built solutions, which require a certain level of expertise to build, implement, and manage the necessary components. Organizations also can choose to outsource to a third party. Lastly, off-the-shelf applications are available that offer complete turnkey appliances that are simple to deploy and maintain.

According to Mauricio Pinto, healthcare market manager for ARX, Inc, a digital signature solution provider, “With the availability of next-generation PKI solutions, there is no longer any reason for healthcare organizations not to deploy a standards-based, fully compliant electronic signature.”

In all situations, signers need to authenticate themselves by using mechanisms such as a username or a password, biometrics, smart cards, one-time password generators, USB tokens, or a combination of the above (multifactor authentication). For signature verification, some solutions require authenticators of the digitally signed records to also be users of the signing software. With others, the signed record becomes an independently verifiable record.

Digital signatures can create efficiencies across many departments in a healthcare organization, from HIM to the front desk and the back office. For example, many organizations already have an EMR in place, some of which offer proprietary e-signatures. With these signing solutions, individuals who enter information will typically verify their identities by using a unique assigned code. The applications only retain the information if the user’s identifying information matches the code. This level of security may be sufficient for internal-only applications, but the process requires that authenticators be logged into the system. Consequently, the process is not useful for sharing signed information with authorized parties outside the organization. By contrast, PKI-based solutions offer a way to independently authenticate both the signer and the integrity of the now-portable information, enabling digital interaction beyond the organization’s walls.

Another use for digital signatures is signing images, which are an essential component of the medical record and include documents such as radiological images, pathology slides, test results, and all scanned documents. There is no practical way to securely sign these documents with a nondigital signature solution. With PKI, the documents or images can be signed and their integrity ensured, and they can be independently authenticated.

Organizations are finding that the process of managing requests from a wide range of requesters has become increasingly labor intensive. This phenomenon is due in part to the HIPAA privacy guidelines, which require that the identity of the person requesting the information be authenticated. The process of reviewing the requested information, as well as the information provided, also must be documented.

Digital signatures may offer relief. Regular requesters can use a digital signature credential to facilitate the verification process. Because the requested data can come from multiple sources and some digital signature solutions are able to convert printable data directly to a signed electronic document, the entire process can remain electronic.

According to HIPAA security regulations, the potential use of digital signature solutions is regarded as a technical safeguard, and organizations must put policies and procedures in place that ensure patient data have not been changed or destroyed in an unauthorized manner. A digital signature encodes the data or signed document, thus ensuring the information’s veracity. HIPAA rules also require organizations to guarantee that electronically transmitted protected health information is not modified without detection until it is disposed of. Because a digital signature creates a signed and sealed record that cannot be tampered with or modified without detection, it ensures compliance with this rule.

Patients routinely sign HIPAA forms when checking in at a physician’s office. The now-common ritual of manually signing such paperwork can be transformed into a digital process through the use of an e-pad that can capture a patient’s one-time graphical signature. A witnessing employee, who has digital signature capability, can then affix his or her digital signature to the document, which, in essence, notarizes and seals the patient-signed document.       

“The registration desk and HIM department are just two of many functional areas that can benefit from deployment of a digital signature solution,” says Pinto. “From human resources to sourcing and procurement to accounting and legal, a hospital or medical center’s back office churns out huge volumes of documents that require signatures on a daily basis, and often these need to be authenticated by external reviewers. A cross-departmental digital signature solution eliminates paper and manual signing of employee forms, purchase orders, and contracts.” 

The emergence of electronic workflow solutions further leverages the usefulness of digital signatures by automatically routing data and documents for signing. These solutions, available as either stand-alone applications or as modular add-ons to existing software applications used throughout the organization, allow for beginning-to-end paperless business processes.

As the healthcare industry continues moving toward paperless applications, organizations are looking for simple solutions that enable them to incorporate electronic signatures into their day-to-day operations. A new generation of PKI, or digital signature solutions, means that it is now possible to choose technology that can be readily implemented and will meet all legal and compliance requirements, often in a single application. In addition, even if an organization has an electronic-signature system in place, a simple add-on can provide the level of security that will eliminate concerns about meeting federal regulations.

— Alice Shepherd is a southern California-based business-to-business journalist specializing in healthcare topics.