Medical Records and E-Health
The E-Signature Law will Facilitate E-Health Transactions, but will not Substitute Strong Risk Management Techniques
September 14, 2000
http://www.ebglaw.com/article_578.html
Richard H. Vincent and R. Michael Barry
The health care industry, like other sectors of the economy, is till processing the recent enactment of the "Millennium Digital Commence Act" known to the public as the electronic signature law. The Act creates an opportunity for the progression of e-commerce and e-health by encouraging seemless electronic interaction between parties from initial negotiation or interaction through closing or discharge.
Electronic signatures will be a facilitating device for health care companies’ business-to-business and business to consumer transactions. However, the extent of the legal comfort zone will, to some extent, await the maturation and dissemination of encryption technology, biometrics and other electronic security technologies, as the key element to the development of electronic transactions continues to be the trust between the parties.
The electronic signature law provides that:
If a statute, regulation or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be retained, that requirement is met by retaining an electronic record of the information in the contract or other record...
Of particular interest is the scarcity of a requirement in the statute concerning security and authentication requirements for such records. The statute requires only that the electronic record accurately reflect the information set forth and that it remain "accessible to all persons who are entitled to access by statute, regulation or rule of law..." Questions of accessibility, maintenance and reproduction of electronic records are likely to be less taxing than questions of which party will assume the risks associated with verification and authentication of electronic signatures. As technology continues to develop and as the health care industry further embraces the opportunities of e-health, the issue will increasingly become whether or not the software provider, ASP or other business partners, rather than your organization, will assume such risks.
Health care entities’ use of electronic records will be additionally guided by Medicare conditions of participation which, while permitting the use of computerized records and authentication, do require the hospital to have a system for record identification and maintenance which ensures their integrity and protects their security. In addition state mandated safeguards and guidance will vary.
Thus, from a business planning and legal risk management perspective, the electronic signature law will be facilitative in those jurisdictions where traditional licensure statutes have not yet been "scrubbed" for the digital world. Multistate companies will still need to comply with a variety of state statutory requirements as to authentication and record integrity. However, those standards generally require only that the provider develop policies and procedures to address natural exposures and should be regarded as consistent with best practices and sound corporate risk management. Moving at "internet speed" should be a favorable product of your e-health transactions not a replacement of your organization’s best corporate practices.
Richard H. Vincent and R. Michael Barry are managing partner and associate, respectively, at the Atlanta office of Epstein Becker & Green, P.C. The office reflects EBG's national focus on business transactions, regulatory advice and corporate litigation with particular emphasis on health care and employment law. Please feel free to contact Richard H. Vincent or R. Michael Barry at 404/812-5680 in the firm's Atlanta office if you would like additional information regarding e-Health Law issues, or have any questions or comments. Mr. Vincent's e-mail adress is
The Emancipation of the Electronic Medical Record The Overlooked Feature of the E-Signature Law
By: Mark Lutes, Esq.
Washington, D.C. Office, ugust 7, 2000
The healthcare industry, like other sectors of the economy, is still processing the recent enactment of the "Millennium Digital Commerce Act" known to the public as the electronic signature law. Electronic signature
usage promises, as technology evolves, to be a facilitating device for health
care companies’ business-to-business and business to consumer transactions.
However, the extent of the legal comfort zone will, to some extent, await the
maturation and dissemination of encryption technology, biometrics and other
electronic security technologies.
One application of the Act need not await such maturation at
least from the legal perspective. That application is the law’s effect on healthcare
record keeping.
State licensing statutes have frequently cast a pall over electronic
medical record development. Hospital and other facility licensure statutes and
regulations often require the maintenance of "written" records. Other
regulations go further to specify that records be maintained in ink or be typewritten.
Still others require specific orders to be signed and sometimes that the signature
be in ink.
Along comes the electronic signature law and its clears the air.
It provides that:
If a statute, regulation or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be retained, that requirement is met by retaining an electronic record of the information in the contract or other record …
The legislative history of this provision is relatively sparse. For example, the Senate Report refers only to the statute’s affirmation of the legal effect of contracts formed by electronic interaction.
Also of interest is the scarcity of a requirement in the statute concerning security and authentication requirements for such records. The statute requires only that the electronic record accurately reflect the information set forth and that it remain "accessible to all persons who are entitled to access by statute, regulation or rule of law…"
In the health care environment, hospitals and other health care facilities use of electronic records will be additionally guided by Medicare conditions of participation which, while permitting the use of computerized records and authentication, do require the hospital to have a system for record identification and maintenance which ensures their integrity and protects their security. Joint Commission standards require a system of attestation to singular use of the code for the computer key used to authenticate the record. Some states, like California, require facilities and clinics to have a variety of system safeguards including backup storage systems, imaging technology for reproducing signed documents and a mechanism to prevent the destruction of records.
Providers and payors who are neither effected by the Medicare
standards for facility participation nor by a state law baseline policy will experience comparable regulation under HIPAA’s security standards at least with respect to those records that contain individually identifiable health information (as a practical matter most records).
Thus, from a business planning and legal risk management perspective, the electronic signature law will be facilitative in those jurisdictions where traditional licensure statutes have not yet been "scrubbed" for the digital world. Multistate companies will still need to comply with a variety of state statutory requirements as to authentication and record integrity. However, those standards generally require only that the provider develop policies and procedures to address natural exposures and should be regarded as consistent with best practices and sound corporate risk management.
