Comply with U.S. regulations on records using timestamps
There is significant legal risk in not being able to prove the integrity of an organization's electronic records. DigiStamp's API toolkit easily automates the process of creating secure electronic records using timestamps. Not only can you prove what and when, but you can authenticate the chain of custody for medical testing records.
A primary value to the customer is that our software works with the existing electronic documents and business process - making the transition to authentic electronic records easier to manage. Our API toolkit is used to easily automate the process of applying a standards-based, electronic notary transaction to the daily collections of all data. Our technology does not enforce the privacy of medical records, but it can help to prove that your business process is being followed and that your internal records are authentic.
The U.S. Government uses regulations to enforce expected behaviors of companies that manage health-related information and procedures. The medical industry is focused on two sets of regulations called HIPAA and FDA CFR-11. The Sarbanes-Oxley Act of 2002 has implied a similar need to prove that electronic records are authentic - not altered nor backdated. There are many dimensions to HIPAA and CFR 11. Understanding the regulations and how to apply them to your organization is a growing industry concern. DigiStamp's services relate to the area of proving authentic records and go beyond the regulations. In a legal dispute, a third-party witness to the electronic data (medical and corporate records) may be very valuable.
DigiStamp provides some thoughts on data authentication below that may help you. Additional web resources on this subject are here.
Our service may help in passing regulatory inspection but is usually not required. The technology of digital signatures is far superior to what is described in the basic regulatory requirement.
So generally, an external witness to your electronic data is not required by the regulations. You would need an external timestamp if you perceive some additional legal risk and you need external proof that your data is authentic. The external or third-party timestamp proves that people within your organization did not alter nor backdate electronic data. For example, your system administrators under duress from the CEO cannot tamper with our timestamp or use an employee's password or backdate an altered system log file.
Are digital signatures required for auditing the actions of people who use electronic records?
No, overall, it appears that existing system login procedures may be adequate to fulfill the regulatory requirements. In this approach, there is assumed trust of the company and the company's internal system administrators.
You would consider using digital timestamps and signatures if you perceive these types of risks:
- You need to prove the authenticity of the records of your company or to avoid the risk that an external party would claim that there was collusion within the company to alter their records.
- Password-based authentication systems are designed so that an employee's password is stored in multiple locations; the system administrators commonly have access to the employee's password. Alternatively, when an employee creates a digital signature, only that employee has the private key. Having the single key in the sole possession of the employee avoids the potential risks of someone with administrator privileges using the employee's password and compromising the audit trail. Digital signature standards have been designed with strong non-repudiation qualities.
You would consider using digital timestamps and signatures if you perceive these types of values:
- You value a workflow improvement that ties employee actions directly to the electronic document and can flow with the document.
- You need to have standard signature qualifiers, such as counter and multiple signatures, receipt, approval, or originator.
- You want to communicate documents outside your organization with industry-standard signatures and independent proof of authenticity.