Legal Matters
John R. Clark, JD, MBA, NREMT-P, FP-C, CCP-C, CFC, CMTE
Making Your Mark What is a signature? The United States Code defines a signature as “A mark when the person making the same intended it as such.”1 You have to almost laugh at the obviousness of that statement, but the term signature is generally understood to mean the signing of a written document with one's own hand. Putting pen to paper was the only means to accept a contract for centuries until technology got in the way. The first legal validation of electronic signatures came from the New Hampshire Supreme Court in 1869. The issue was people were using Morse code and the telegraph to electronically accept contracts. The court opined the following: It makes no difference whether [the telegraph] operator writes the offer or the acceptance in the presence of his principal and by his express direction, with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office.2 The technology march continued with the fax machine in the last part of the 20th century to our current application of electronic signatures in nearly every transaction we do in modern day. Over the past decade, electronic signatures have become increasingly accepted under the laws of most jurisdictions.3 When the United States Congress enacted the ESIGN4 in 2000, it was the first major legislation ensuring the validity of transactions and contracts entered into through electronic signatures, and it stipulates that no contract or agreement can be denied or unenforced simply for having an electronic signature. All of us use some form of electronic signature ranging from using new software to a credit card transaction, e-mail, and closing out the patient chart; everyone deals with some form of electronic signature every day. But does what we are doing constitute an electronic signature? If you send an e-mail from your account and type your name at the end, is that an electronic signature? If you sign your name with a Sharpie and scan it as a JPEG and attach it to your e-mail signature block, you have a digitized signature of an image of a pen-topaper signature, but is that an electronic signature? When you click the “I Accept” button when you upgrade an app, is that an electronic signature? What about the process of inserting a key store device into your computer to allow a digital signature program to insert a signature into a document automatically and then encrypt the entire document? Electronic signatures are legally valid in all 50 states (with only a handful of exceptions in which states have specifically 194
required a physical signature for will, trusts, and similar documents) and in most of the world, including all of the European Union (EU).
What Is an Electronic Signature? An electronic signature is any electronic means that indicates either that a person adopts the contents of an electronic message or that the person who claims to have written a message is the one who wrote it. Electronic signatures have varying degrees of technology behind them, so they result in a variety of forms. Common means of an electronic signature include username/password combinations, PIN numbers, radio buttons or “I accept” statements with check boxes, signature by digital pen pad device or signature capture on a tablet or other device, and the whole range of digital signature including keycards and biometric devices using multiple layers of encryption. When an electronic signature is required, the level of security necessitates the threshold of the legal predications. Is an electronic signature adequate, or is a more secure digital signature required? It is important to point out that all digital signatures are electronic signatures, but not all electronic signature are digital signatures. Compared with the less secure electronic signatures mentioned previously, a digital signature is a type of electronic signature that is created with asymmetric codes (also known as asymmetric cryptography or public key system). The digital signature ensures the recipient of the document that the message was created by the signatory and has not been altered. The authenticity is secured by public and private keys. The private key, which is known only to the signatory, is used to create the digital signature and change the message into encrypted form. The public key is used by a receiving party to verify the digital signature and decrypt the message. An important feature of a digital signature is that the process of gathering electronic signatures from multiple parties can be tracked to ensure compliance by creating a detailed audit trail that logs all events and actions involved with the transaction. As we become more and more “digital” and work flows migrate to electronic processes, the upside is better data collection, decreased errors, time savings, diminished costs, and reduced paper-related expenses such as printing and physical archiving. However, the legal requirement for signature capacity still exists. One means of doing this is by using a handwritten signature for authorization purposes. You may be familiar with this for your electronic medical record’s user agreement where a pen-to-paper signature was obtained when you signed the user agreement that confirmed several other identification Air Medical Journal 33:5
features that would be used by the charting system to confirm your identity like username, social security number, and/or date of birth. If there is not a compliance purpose for obtaining and maintaining a handwritten signature, any one of the plethora of electronic signature formats may meet the need to be compliant with specific laws and regulations. When paper documents are altered, it is often easier to see. When electronic documents are left unprotected, they can be easily altered with no obvious changes. The laws and regulations that have been enacted are aimed at reducing fraud by ensuring document integrity. Another form of electronic signature to discuss is the digitized signature. Mentioned earlier as a scanned image file attached to your signature block of an e-mail, the other common subcategory of a digitized image of a handwritten signature is when a signature is obtained using a signature capture device (like the one at the MegaMart checkout). Many charting systems use signature capture for Health Insurance Portability and Accountability Act (HIPAA) acknowledgement, consent for care and transport, and financial responsibility. The weakness with digitized signatures is that there is no way to verify document integrity after signature and, in some cases, could increase the possibility of forgery. The highest level of security is the use of digital signatures. These are a very specific subcategory of electronic signatures that are based on an industry standard called public key infrastructure that guarantees signer identity, intent, and data integrity of signed documents. Digital signatures cannot be copied, tampered, or altered.
Legislation and Regulation for Electronic and Digital Signatures Many pieces of legislation in both the United States and Europe have served to promote the nearly universal legal acceptance of electronic signatures. The following provides an overview of some of the legislative efforts related to electronic signatures.
ESIGN ESIGN4 provides the framework for the individual states to create laws governing electronic signatures by defining what is an electronic signature and establishes that a signature may not be denied legal effect, validity, or enforceability solely because it is in electronic form. This codified federal acknowledgement of the legal legitimacy of electronic and digital signatures.
tures, records, and contracts. UETA’s definition of electronic signatures and their legal legitimacy have been adopted in 47 states, the District of Columbia, Puerto Rico, and the US Virgin Islands. (IL, NY, and WA have not enacted UETA.5)
EU Directive on a Community Framework for Electronic Signatures Similar to both ESIGN and UTEA, the EU directive established guidelines for EU member states to adopt or modify how they acknowledge the validity of electronic signatures. The directive mandates that digital signatures relying on a qualified certificate and created by a secure signature-creation device are regarded as legally equivalent to handwritten signatures. The directive further specifies that the digital signature is uniquely linked to the signatory, is capable of identifying the signatory, its creation is maintained under the sole control of the signatory, and that any changes to the data can be detected.6
The Sarbanes-Oxley Act The Sarbanes-Oxley Act was created to establish accountability with corporate accounting practices. Although the law does not call explicitly for the use of digital signature technology, it relies on a set of information technology best practices referred to as The Control Objectives for Information and Related Technology, which specifically call for document change control. The Control Objectives for Information and Related Technology framework mandates that the system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems. Because a document that is digitally signed cannot be altered without clearly invalidating the signature, digital signatures provide a change control capacity and ability to verify integrity that fully satisfies Sarbanes-Oxley Act regulations.7
HIPAA HIPAA provides guidance on how to ensure document confidentiality, integrity, and compliance of all communications containing protected health information transmitted electronically over open networks. However, currently, no standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable state or other law.8
Uniform Electronic Transactions Act
Food and Drug Administration Electronic Signature Requirement
The Uniform Electronic Transactions Act (UETA) addresses the retention of paper records and the validity of electronic signatures. UETA is closely related to ESIGN with a mutual goal of enhancing the ability of people to conduct electronic business by validating electronic signatures and electronic records. UETA is essentially the state version to ESIGN’s federal law and provides legal recognition to electronic signa-
This regulation addresses electronic signatures as a form of control for software and systems involved in business operations and product development in the pharmaceutical, medical, biotech, biologics, and other Food and Drug Administration–regulated industries. The regulation requires controls that guarantee authenticity, integrity, and confidentiality of electronic records.9
September-October 2014
195
Federal Aviation Administration Advisory Circular 120-78 Issued by the Federal Aviation Administration on October 29, 2002, to provide guidance on the acceptance and use of electronic signatures, the advisory aims at satisfying certain operational and maintenance requirements. This circular stipulated that 1 of the requirements of any electronic signature used during maintenance documentation is that it must provide nonrepudiation, meaning that it should prevent a signatory from denying that he or she attached the signature to a specific record or document.10
Summary There may be many reasons that an organization decides to implement an electronic signature requirement. It may be as simple as the need to maintain regulatory compliance or as a best practice to ensure work flow accountability and document integrity, but regardless of the intention, the old fashioned pen-on-paper signature is disappearing from the business landscape. So, even if you live in a little place like Grundy County, MO, the practical reality is that electronic signatures in all their forms are here to stay. Organizations should find an electronic signature solution that identifies the signer, detects changes in the document, provides a unique signature, provides sole control of the signature, and allows portability. There is quite a difference between the capacity an electronic signature provides and the capacity that a digital signature has to offer. When in doubt, adopt a strategy that is more robust so that even when only an electronic signature is needed, a digital signature exceeds the requirements. When document integrity, nonrepudiation, uniqueness, or sole control is required, the only option that satisfies the requirement is a digital signature.
10. AC 120-78 Acceptance and Use of Electronic Signatures, Electronic Recordkeeping Systems, and Electronic Manuals. http://www.faa.gov/regulations_ policies/advisory_circulars/index.cfm/go/document.information/documentID/232 24. Accessed May 23, 2014.
John R. Clark, JD, MBA, NREMT-P, FP-C,CCP-C, CFC, CMTE, is a member of the board of directors for the Board for Critical Care Transport Paramedic Certification (BCCTPC) and legal advisor and member of the board of directors for the International Association of Flight and Critical Care Paramedics (IAFCCP). Editor’s Note: While the information in this article deals with legal issues, it does not constitute legal advice. If you have specific questions related to this topic, you are encouraged to consult an attorney who can investigate the particular circumstances of your individual situation. If you have an issue you would like to see addressed in a future issue of AMJ, please contact the author at [email protected] to suggest a topic. 1067-9991X/$36.00 Copyright 2014 by Air Medical Journal Associates http://dx.doi.org/10.1016/j.amj.2014.06.007
References 1. 2. 3. 4.
5.
6.
7.
8.
9.
1 USC 1, U.S. Code, Title 1, Chapter 1 § 1. Howley v. Whipple, 48 N.H. 487. The Law of Electronic Commerce § 1.04[E] (4th ed. 2009). 15 USC 96, 15 U.S. Code Chapter 96-Electronic Signatures in Global and National Commerce. http://www.gpo.gov/fdsys/pkg/BILLS106s761enr/pdf/BILLS06s761enr.pdf. Accessed May 22, 2014. National Conference of State Legislators Uniform Electronics Transactions webpage, Accessed on May 22, 2014 at http://www.ncsl.org/research/telecommunicationsand-information-technology/uniform-electronic-transactions-acts.aspx Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, Official Journal L 013, 19/01/2000 P. 0012 – 0020. http://eur-lex.europa.eu/legalconent/EN/ALL/;jsessionid⫽RM1qTPRfLBWP6Y4f48rSRYdSllK4hpXvxRm0GfGg73Br dDzT9MgD!-1040576058?uri⫽CELEX:31999L0093. Accessed May 22, 2014. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Protivi Independent Risk Consulting. http://www.protiviti.com/enUS/Documents/ResourceGuides/ProtivitiSOA_ ITRiskControls.pdf. Accessed May 23, 2014. US Department of Health & Human Services, Office of Civil Rights, Health Information Privacy FAQ page. http://www.hhs.gov/ocr/privacy/hipaa/faq/ business_associates/247.html. Accessed May 23, 2014. 21 CFR 11, FDA Administration Part 11 Electronic Records; Electronic Signatures. http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm? CFRPart⫽11&showFR⫽1&subpartNode⫽21:1.0.1.1.8.3. Accessed May 23, 2014.
196
Air Medical Journal 33:5
John R. Clark, JD, MBA, NREMT-P, FP-C, CCP-C, CFC, CMTE
Making Your Mark What is a signature? The United States Code defines a signature as “A mark when the person making the same intended it as such.”1 You have to almost laugh at the obviousness of that statement, but the term signature is generally understood to mean the signing of a written document with one's own hand. Putting pen to paper was the only means to accept a contract for centuries until technology got in the way. The first legal validation of electronic signatures came from the New Hampshire Supreme Court in 1869. The issue was people were using Morse code and the telegraph to electronically accept contracts. The court opined the following: It makes no difference whether [the telegraph] operator writes the offer or the acceptance in the presence of his principal and by his express direction, with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office.2 The technology march continued with the fax machine in the last part of the 20th century to our current application of electronic signatures in nearly every transaction we do in modern day. Over the past decade, electronic signatures have become increasingly accepted under the laws of most jurisdictions.3 When the United States Congress enacted the ESIGN4 in 2000, it was the first major legislation ensuring the validity of transactions and contracts entered into through electronic signatures, and it stipulates that no contract or agreement can be denied or unenforced simply for having an electronic signature. All of us use some form of electronic signature ranging from using new software to a credit card transaction, e-mail, and closing out the patient chart; everyone deals with some form of electronic signature every day. But does what we are doing constitute an electronic signature? If you send an e-mail from your account and type your name at the end, is that an electronic signature? If you sign your name with a Sharpie and scan it as a JPEG and attach it to your e-mail signature block, you have a digitized signature of an image of a pen-topaper signature, but is that an electronic signature? When you click the “I Accept” button when you upgrade an app, is that an electronic signature? What about the process of inserting a key store device into your computer to allow a digital signature program to insert a signature into a document automatically and then encrypt the entire document? Electronic signatures are legally valid in all 50 states (with only a handful of exceptions in which states have specifically 194
required a physical signature for will, trusts, and similar documents) and in most of the world, including all of the European Union (EU).
What Is an Electronic Signature? An electronic signature is any electronic means that indicates either that a person adopts the contents of an electronic message or that the person who claims to have written a message is the one who wrote it. Electronic signatures have varying degrees of technology behind them, so they result in a variety of forms. Common means of an electronic signature include username/password combinations, PIN numbers, radio buttons or “I accept” statements with check boxes, signature by digital pen pad device or signature capture on a tablet or other device, and the whole range of digital signature including keycards and biometric devices using multiple layers of encryption. When an electronic signature is required, the level of security necessitates the threshold of the legal predications. Is an electronic signature adequate, or is a more secure digital signature required? It is important to point out that all digital signatures are electronic signatures, but not all electronic signature are digital signatures. Compared with the less secure electronic signatures mentioned previously, a digital signature is a type of electronic signature that is created with asymmetric codes (also known as asymmetric cryptography or public key system). The digital signature ensures the recipient of the document that the message was created by the signatory and has not been altered. The authenticity is secured by public and private keys. The private key, which is known only to the signatory, is used to create the digital signature and change the message into encrypted form. The public key is used by a receiving party to verify the digital signature and decrypt the message. An important feature of a digital signature is that the process of gathering electronic signatures from multiple parties can be tracked to ensure compliance by creating a detailed audit trail that logs all events and actions involved with the transaction. As we become more and more “digital” and work flows migrate to electronic processes, the upside is better data collection, decreased errors, time savings, diminished costs, and reduced paper-related expenses such as printing and physical archiving. However, the legal requirement for signature capacity still exists. One means of doing this is by using a handwritten signature for authorization purposes. You may be familiar with this for your electronic medical record’s user agreement where a pen-to-paper signature was obtained when you signed the user agreement that confirmed several other identification Air Medical Journal 33:5
features that would be used by the charting system to confirm your identity like username, social security number, and/or date of birth. If there is not a compliance purpose for obtaining and maintaining a handwritten signature, any one of the plethora of electronic signature formats may meet the need to be compliant with specific laws and regulations. When paper documents are altered, it is often easier to see. When electronic documents are left unprotected, they can be easily altered with no obvious changes. The laws and regulations that have been enacted are aimed at reducing fraud by ensuring document integrity. Another form of electronic signature to discuss is the digitized signature. Mentioned earlier as a scanned image file attached to your signature block of an e-mail, the other common subcategory of a digitized image of a handwritten signature is when a signature is obtained using a signature capture device (like the one at the MegaMart checkout). Many charting systems use signature capture for Health Insurance Portability and Accountability Act (HIPAA) acknowledgement, consent for care and transport, and financial responsibility. The weakness with digitized signatures is that there is no way to verify document integrity after signature and, in some cases, could increase the possibility of forgery. The highest level of security is the use of digital signatures. These are a very specific subcategory of electronic signatures that are based on an industry standard called public key infrastructure that guarantees signer identity, intent, and data integrity of signed documents. Digital signatures cannot be copied, tampered, or altered.
Legislation and Regulation for Electronic and Digital Signatures Many pieces of legislation in both the United States and Europe have served to promote the nearly universal legal acceptance of electronic signatures. The following provides an overview of some of the legislative efforts related to electronic signatures.
ESIGN ESIGN4 provides the framework for the individual states to create laws governing electronic signatures by defining what is an electronic signature and establishes that a signature may not be denied legal effect, validity, or enforceability solely because it is in electronic form. This codified federal acknowledgement of the legal legitimacy of electronic and digital signatures.
tures, records, and contracts. UETA’s definition of electronic signatures and their legal legitimacy have been adopted in 47 states, the District of Columbia, Puerto Rico, and the US Virgin Islands. (IL, NY, and WA have not enacted UETA.5)
EU Directive on a Community Framework for Electronic Signatures Similar to both ESIGN and UTEA, the EU directive established guidelines for EU member states to adopt or modify how they acknowledge the validity of electronic signatures. The directive mandates that digital signatures relying on a qualified certificate and created by a secure signature-creation device are regarded as legally equivalent to handwritten signatures. The directive further specifies that the digital signature is uniquely linked to the signatory, is capable of identifying the signatory, its creation is maintained under the sole control of the signatory, and that any changes to the data can be detected.6
The Sarbanes-Oxley Act The Sarbanes-Oxley Act was created to establish accountability with corporate accounting practices. Although the law does not call explicitly for the use of digital signature technology, it relies on a set of information technology best practices referred to as The Control Objectives for Information and Related Technology, which specifically call for document change control. The Control Objectives for Information and Related Technology framework mandates that the system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems. Because a document that is digitally signed cannot be altered without clearly invalidating the signature, digital signatures provide a change control capacity and ability to verify integrity that fully satisfies Sarbanes-Oxley Act regulations.7
HIPAA HIPAA provides guidance on how to ensure document confidentiality, integrity, and compliance of all communications containing protected health information transmitted electronically over open networks. However, currently, no standards exist under HIPAA for electronic signatures. In the absence of specific standards, covered entities must ensure any electronic signature used will result in a legally binding contract under applicable state or other law.8
Uniform Electronic Transactions Act
Food and Drug Administration Electronic Signature Requirement
The Uniform Electronic Transactions Act (UETA) addresses the retention of paper records and the validity of electronic signatures. UETA is closely related to ESIGN with a mutual goal of enhancing the ability of people to conduct electronic business by validating electronic signatures and electronic records. UETA is essentially the state version to ESIGN’s federal law and provides legal recognition to electronic signa-
This regulation addresses electronic signatures as a form of control for software and systems involved in business operations and product development in the pharmaceutical, medical, biotech, biologics, and other Food and Drug Administration–regulated industries. The regulation requires controls that guarantee authenticity, integrity, and confidentiality of electronic records.9
September-October 2014
195
Federal Aviation Administration Advisory Circular 120-78 Issued by the Federal Aviation Administration on October 29, 2002, to provide guidance on the acceptance and use of electronic signatures, the advisory aims at satisfying certain operational and maintenance requirements. This circular stipulated that 1 of the requirements of any electronic signature used during maintenance documentation is that it must provide nonrepudiation, meaning that it should prevent a signatory from denying that he or she attached the signature to a specific record or document.10
Summary There may be many reasons that an organization decides to implement an electronic signature requirement. It may be as simple as the need to maintain regulatory compliance or as a best practice to ensure work flow accountability and document integrity, but regardless of the intention, the old fashioned pen-on-paper signature is disappearing from the business landscape. So, even if you live in a little place like Grundy County, MO, the practical reality is that electronic signatures in all their forms are here to stay. Organizations should find an electronic signature solution that identifies the signer, detects changes in the document, provides a unique signature, provides sole control of the signature, and allows portability. There is quite a difference between the capacity an electronic signature provides and the capacity that a digital signature has to offer. When in doubt, adopt a strategy that is more robust so that even when only an electronic signature is needed, a digital signature exceeds the requirements. When document integrity, nonrepudiation, uniqueness, or sole control is required, the only option that satisfies the requirement is a digital signature.
10. AC 120-78 Acceptance and Use of Electronic Signatures, Electronic Recordkeeping Systems, and Electronic Manuals. http://www.faa.gov/regulations_ policies/advisory_circulars/index.cfm/go/document.information/documentID/232 24. Accessed May 23, 2014.
John R. Clark, JD, MBA, NREMT-P, FP-C,CCP-C, CFC, CMTE, is a member of the board of directors for the Board for Critical Care Transport Paramedic Certification (BCCTPC) and legal advisor and member of the board of directors for the International Association of Flight and Critical Care Paramedics (IAFCCP). Editor’s Note: While the information in this article deals with legal issues, it does not constitute legal advice. If you have specific questions related to this topic, you are encouraged to consult an attorney who can investigate the particular circumstances of your individual situation. If you have an issue you would like to see addressed in a future issue of AMJ, please contact the author at [email protected] to suggest a topic. 1067-9991X/$36.00 Copyright 2014 by Air Medical Journal Associates http://dx.doi.org/10.1016/j.amj.2014.06.007
References 1. 2. 3. 4.
5.
6.
7.
8.
9.
1 USC 1, U.S. Code, Title 1, Chapter 1 § 1. Howley v. Whipple, 48 N.H. 487. The Law of Electronic Commerce § 1.04[E] (4th ed. 2009). 15 USC 96, 15 U.S. Code Chapter 96-Electronic Signatures in Global and National Commerce. http://www.gpo.gov/fdsys/pkg/BILLS106s761enr/pdf/BILLS06s761enr.pdf. Accessed May 22, 2014. National Conference of State Legislators Uniform Electronics Transactions webpage, Accessed on May 22, 2014 at http://www.ncsl.org/research/telecommunicationsand-information-technology/uniform-electronic-transactions-acts.aspx Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, Official Journal L 013, 19/01/2000 P. 0012 – 0020. http://eur-lex.europa.eu/legalconent/EN/ALL/;jsessionid⫽RM1qTPRfLBWP6Y4f48rSRYdSllK4hpXvxRm0GfGg73Br dDzT9MgD!-1040576058?uri⫽CELEX:31999L0093. Accessed May 22, 2014. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Protivi Independent Risk Consulting. http://www.protiviti.com/enUS/Documents/ResourceGuides/ProtivitiSOA_ ITRiskControls.pdf. Accessed May 23, 2014. US Department of Health & Human Services, Office of Civil Rights, Health Information Privacy FAQ page. http://www.hhs.gov/ocr/privacy/hipaa/faq/ business_associates/247.html. Accessed May 23, 2014. 21 CFR 11, FDA Administration Part 11 Electronic Records; Electronic Signatures. http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm? CFRPart⫽11&showFR⫽1&subpartNode⫽21:1.0.1.1.8.3. Accessed May 23, 2014.
196
Air Medical Journal 33:5
