Provider Enrollment and Ongoing Responsibilities : Documentation

Policy Requirements for Use of Electronic Signatures on Electronic Health Records

For ForwardHealth policy areas where a signature is required, electronic signatures are acceptable as long as the signature meets the requirements. When ForwardHealth policy specifically states that a handwritten signature is required, an electronic signature will not be accepted. When ForwardHealth policy specifically states that a written signature is required, an electronic signature will be accepted.

Reimbursement for services paid to providers who do not meet all electronic signature requirements may be subject to recoupment.

Electronic Signature Definition

An electronic signature, as stated in Wis. Stats. § 137.11(8), is "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record."

Some examples include:

• Typed name (performer may type their complete name)
• Number (performer may type a number unique to them)
• Initials (performer may type initials unique to them)

All examples above must also meet all of the electronic signature requirements.

Benefits of Using Electronic Signatures

The use of electronic signatures will allow providers to:

• Save time by streamlining the document signing process.
• Reduce the costs of postage and mailing materials.
• Maintain the integrity of the data submitted.
• Increase security to aid in non-repudiation.

Electronic Signature Requirements

By following the general electronic signature requirements below, the use of electronic signatures provides a secure alternative to written signatures. These requirements align with HIPAA Privacy Rule guidelines.

General Requirements

When using an electronic signature, all of the following requirements must be met:

• The electronic signature must be under the sole control of the rendering provider. Only the rendering provider or designee has the authority to use the rendering provider's electronic signature. Providers are required to maintain documentation that shows the electronic signature that belongs to each rendering provider if a numbering or initial system is used (e.g., what number is assigned to a specific rendering provider). This documentation must be kept confidential.
• The provider is required to have current policies and procedures regarding the use of electronic signatures. The Wisconsin DHS recommends the provider conduct an annual review of policies and procedures with those using electronic signatures to promote ongoing compliance and to address any changes in the policies and procedures.
• The provider is required to conduct or review a security risk analysis in accordance with the requirements under 45 CFR s. 164.308(a)(1).
• The provider is required to implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
• The provider is required to establish administrative, technical, and physical safeguards in compliance with the HIPAA Security Rule.

Electronic Health Record Signature Requirements

An EHR that utilizes electronic signatures must meet the following requirements:

• The certification and standard criteria defined in the Health Information Technology Initial Set of Standards, Implementation Specifications, Certification Criteria for Electronic Health Record Technology Final Rule (45 CFR Part 170) and any revisions including, but not limited to, the following:
  • Assign a unique name and/or number for identifying, tracking user identity, and establishing controls that permit only authorized users to access electronic health information.
  • Record actions related to electronic health information according to the standard set forth in 45 CFR s. 170.210.
  • Enable a user to generate an audit log for a specific time period. The audit log must also have the ability to sort entries according to any of the elements specified in the standard 45 CFR s. 170.210.
  • Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.
  • Record the date, time, patient identification, and user identification when electronic health information is created, modified, accessed, or deleted. An indication of which action(s) occurred and by whom must also be recorded.
  • Use a hashing algorithm with a security strength equal to or greater than SHA-1 as specified by the NIST in FIPS PUB 180-3 (October 2008) to verify that electronic health information has not been altered. (Providers unsure whether or not they meet this guideline should contact their IT and/or security/privacy analyst.)
• Ensure the EHR provides:
  • Nonrepudiation — assurance that the signer cannot deny signing the document in the future
  • User authentication — verification of the signer's identity at the time the signature was generated
  • Integrity of electronically signed documents — retention of data so that each record can be authenticated and attributed to the signer
  • Message integrity — certainty that the document has not been altered since it was signed
  • Capability to convert electronic documents to paper copy — the paper copy must indicate the name of the individual who electronically signed the form as well as the date electronically signed
• Ensure electronically signed records created by the EHR have the same back-up and record retention requirements as paper records.