The healthcare industry, like other sectors of the economy, is still processing the recent enactment of the “Millennium Digital Commerce Act” known to the public as the electronic signature law. Electronic signature usage promises, as technology evolves, to be a facilitating device for health care companies’ business-to-business and business to consumer transactions. However, the extent of the legal comfort zone will, to some extent, await the maturation and dissemination of encryption technology, biometrics and other electronic security technologies.
One application of the Act need not await such maturation — at least from the legal perspective. That application is the law’s effect on healthcare record keeping.
State licensing statutes have frequently cast a pall over electronic medical record development. Hospital and other facility licensure statutes and regulations often require the maintenance of “written” records. Other regulations go further to specify that records be maintained in ink or be typewritten. Still others require specific orders to be signed and sometimes that the signature be in ink.
Along comes the electronic signature law and its clears the air. It provides that:
The legislative history of this provision is relatively sparse. For example, the Senate Report refers only to the statute’s affirmation of the legal effect of contracts formed by electronic interaction.
Also of interest is the scarcity of a requirement in the statute concerning security and authentication requirements for such records. The statute requires only that the electronic record accurately reflect the information set forth and that it remain “accessible to all persons who are entitled to access by statute, regulation or rule of law?…”
In the health care environment, hospitals and other health care facilities use of electronic records will be additionally guided by Medicare conditions of participation which, while permitting the use of computerized records and authentication, do require the hospital to have a system for record identification and maintenance which ensures their integrity and protects their security. Joint Commission standards require a system of attestation to singular use of the code for the computer key used to authenticate the record. Some states, like California, require facilities and clinics to have a variety of system safeguards including backup storage systems, imaging technology for reproducing signed documents and a mechanism to prevent the destruction of records.
Providers and payors who are neither effected by the Medicare standards for facility participation nor by a state law baseline policy will experience comparable regulation under HIPAA’s security standards — at least with respect to those records that contain individually identifiable health information (as a practical matter — most records).
Thus, from a business planning and legal risk management perspective, the electronic signature law will be facilitative in those jurisdictions where traditional licensure statutes have not yet been “scrubbed” for the digital world. Multistate companies will still need to comply with a variety of state statutory requirements as to authentication and record integrity. However, those standards generally require only that the provider develop policies and procedures to address natural exposures and should be regarded as consistent with best practices and sound corporate risk management.
Please contact us if you would like additional information regarding e-Health Law issues.
This publication is provided by Epstein Becker & Green, P.C. for general information purposes; it is not and should not be used as a substitute for legal advice.