HIPAA, CFR 11, Sarbanes-Oxley Act. Digital signatures exceed requirements

Strong evidence for data authentication

U.S. regulations on medical records

There is significant legal risk in not being able to prove the integrity of a company's electronic records. Medical testing facilities, law firms, even a CEO signing a financial statement need to move quickly to manage electronic data as evidence. DigiStamp has the accepted, standards-based services to deliver corporate trust and electronic data integrity; the evidence that data has not been altered nor backdated.

The U.S. Government uses regulations to enforce expected behaviors of companies that manage health-related information and procedures. The medical industry is focused on two sets of regulations called HIPAA and FDA CFR-11. The Sarbanes-Oxley Act of 2002 has implied a similar need to prove that electronic records are authentic - not altered nor backdated.

There are many dimensions to HIPAA and CFR 11. Understanding the regulations and how to apply them to your organization is a growing industry concern. DigiStamp's services relate to the area of proving authentic records and go beyond the regulations. In a legal dispute, a third-party witness to the electronic data (medical and corporate records) may be very valuable.

DigiStamp provides some thoughts on the subject of data authentication below that may help you. Additional web resources on this subject are here.

The DigiStamp customers have traditionally used our services for external witnessing of their electronic data - proof of the What and When. More recently, our customers use our service to authenticate the chain of custody for medical testing records. A primary value to the customer is that our software works with the existing electronic documents and business process - making the transition to authentic electronic records easier to manage. Our API toolkit is used to easily automate the process of applying an electronic notary type transaction to the daily collections of all data. Our technology does not enforce the privacy of medical record, but it can help to prove that your business process is being followed and that your internal records are authentic.

Is a third-party time stamp for proving authentic records required in order to fulfill regulatory requirements?

Our service may help in passing regulatory inspection but is usually not required. The technology of digital signatures is far superior to what is described in the basic regulatory requirement.

So generally, an external witness to your electronic data is not required by the regulations. You would need an external time stamp if you perceive some additional legal risk and you need external proof that your data is authentic. The external or third-party time stamp proves that people within your organization did not alter nor backdate electronic data. For example, your system administrators under duress from the CEO cannot tamper with our time stamp or use an employee's password or backdate an altered system log file.

Are digital signatures required for auditing the actions of people who use electronic records?

No, overall, it appears that existing system login procedures may be adequate to fulfill the regulatory requirements. In this approach, there is assumed trust of the company and the company's internal system administrators.

You would consider using digital time stamps and signatures if you perceive these types of risks:

You need to prove the authenticity of the records of your company or to avoid the risk that an external party would claim that there was collusion within the company to alter their records.

Password-based authentication systems are designed so that an employee's password is stored in multiple locations; the system administrators commonly have access to the employee's password. Alternatively, when an employee creates a digital signature, only that employee has the private key. Having the single key in the sole possession of the employee avoids the potential risks of someone with administrator privileges using the employee's password and compromising the audit trail. Digital signatures standards have been designed with strong non-repudiation qualities.

You would consider using digital time stamps and signatures if you perceive these types of values:

	You value a workflow improvement that ties employee actions directly to the electronic document and can flow with the document.
	You need to have standard signature qualifiers, such as counter and multiple signatures, receipt, approval, or originator.
	You want to communicate documents outside your organization with industry standard signatures and independent proof of authenticity.