Electronic Signatures for Public Health- How Do they Work?

If you read last week’s article, Electronic Signatures for Public Health- The Basics, then you know that the term “electronic signature” has a very broad definition. It refers to a piece of electronic (non-paper) documentation showing the intent of the person to sign it.

In light of national and state efforts encouraging public health departments to go paperless, it is an excellent time to learn as much as possible about electronic signatures, how they work, and who can and should use them.

Once you understand how electronic signatures work, you can more readily decide what type of electronic signatures are right for your agency, as well as how and when you should begin implementing them.

In this article, we’ll review a few of the basic elements of how electronic signatures work.

How are they captured?

There are several methods for capturing an electronic signature.

Let’s look at a few:

Scan in a paper with a handwritten signature on it – save it to a file for later placement on electronic documents
Use a signature pad, a tablet, or mobile device that allows you to use a stylus or fingers to draw the signature into an application – it is then stored for later placement on electronic documents
Use a PIN; a secure, private identifying number that is provided to a person – when that number is entered within an electronic document or application, it is associated with the name of the person assigned to the ID, and that person’s name is included in the electronic document

How are they authenticated?

There are many ways to authenticate an electronic signature, including several complex methods.

The way the e-signature is implemented and used is important in determining how it is authenticated.

For the purposes of this blog post, we’ll only look at a couple methods:

It could be authenticated through public-key cryptography, which is the use of 2 keys, a public key and a private key, to encrypt and decrypt the message (signature). The keys must work together. If they don’t, then the message is invalid.
Alternately, a security certificate can be attached to a device that only the authenticated user can access. When the authenticated user e-signs, that certificate is sent along with information from the device confirming that the combination of the device and the certificate are valid.

How are they transmitted?

A document can be sent for electronic signature in a variety of ways.

One example of this is to use Echosign or another electronic signing service to send an email to a specified recipient.

This email will include a link to a secure server where they can view and sign by either typing their initials, or reading terms of acceptance and using their authenticated login to the server as the signature.

Once the document contains an electronic signature, it can be attached to a secure email and returned.

How are they implemented?

HIPAA does not define how to implement an electronic signature within an electronic health record.

What HIPAA does say, is that whatever method is implemented, it must also provide an audit log of the action the user took regarding that record.

In other words, the system needs to log the actions of the user.

The greatest challenge around electronic signatures may be determining how to elegantly incorporate them into an Electronic Health Record.

Deciding where they are needed and how to slide them easily into the workflow without creating a poor user experience is not an easy task.

When you are considering moving to an EHR or switching EHRs, be sure to carefully understand the way electronic signatures are built into the application and evaluate how that fits with your workflow.