NRPM: Security and Electronic Signature Standards. Electronic Signature Standard

08/12/1998

[Please label written comments or e-mailed comments about this section with the subject: ELECTRONIC SIGNATURE STANDARD]

 

HIPAA directs the Secretary of the Department of Health and Human Services to coordinate with the Secretary of the Department of Commerce in adopting standards for the electronic transmission and authentication of signatures with respect to the transactions referred to in the law. This rule was developed in coordination with the Department of Commerce's National Institute of Standards and Technology. We propose to adopt a cryptographically based digital signature as the standard.

Whenever a HIPAA specified transaction requires the use of an electronic signature, the standard must be used. It should be noted that an electronic signature is not required for any of the currently proposed standard transactions.

In the electronic environment, the same legal weight associated with an original signature on a paper document may be needed for electronic data. Use of an electronic signature refers to the act of attaching a signature by electronic means. The electronic signature process involves authentication of the signer’s identity, a signature process according to system design and software instructions, binding of the signature to the document and non-alterability after the signature has been affixed to the document. The generation of electronic signatures requires the successful identification and authentication of the signer at the time of the signature.

The proposed standard for electronic signature is presented at § 142.310 and would be digital.

The following matrix depicts the requirement and implementation features for electronic signatures. Following the matrix is a discussion of the electronic signature requirement.

ELECTRONIC SIGNATURE


REQUIREMENT:

IMPLEMENTATION:


Digital signature (If digital signature is employed, the following three implementation features must be implemented: Message integrity, Non-repudiation, User authentication. Other implementation features are optional.)

Ability to add attributes.
Continuity of signature capability.
Countersignatures.
Independent verifiability.
Interoperability.
Message integrity.
Multiple Signatures.
Non-repudiation.
Transportability.
User authentication.


Various technologies may fulfill one or more of the requirements specified in the matrix. Authentication systems (passwords, biometrics, physical feature authentication, behavioral actions and token-based authentication) can be combined with cryptographic techniques to form an electronic signature. However, a complete electronic signature system may require more than one of the technologies mentioned above. If electronic signatures would be used, certain implementation features must be included, specifically:

  • Message integrity.
  • Nonrepudiation.
  • User authentication.

Currently there are no technically mature techniques that provide the security service of nonrepudiation in an open network environment, in the absence of trusted third parties, other than digital signature-based techniques. Therefore, if electronic signatures are employed, we would require that digital signature technology be used. A digital signature is formed by applying a mathematical function to the electronic document. This process yields a unique bit string, referred to as a message digest. The digest (only) is encrypted using the originator's private key and the resulting bit stream is appended to the electronic document. The recipient of the transmitted document decrypts the message digest with the originator’s public key, applies the same message hash function to the document, then compares the resulting digest with the transmitted version. If they are identical, then the recipient is assured that the message is unaltered and the identity of the signer is proven. Since only the signatory authority can hold the Private Key used to digitally sign the document, the critical feature of nonrepudiation is enforced. Other electronic signature implementation features that may be used follow:

  • Ability to add attributes.
  • Continuity of signature capability.
  • Countersignatures capability.
  • Independent verifiability.
  • Interoperability.
  • Multiple signatures.
  • Transportability.

This standard is described in greater detail in § 142.310 of the regulation text and is depicted in tabular form along with the security standard in a combined matrix located at Addendum 1. We have not included the matrix in the proposed regulation text. We invite your comments concerning the appropriateness and usefulness of including the matrix in the final regulation text. We have also provided a glossary of terms to facilitate a common understanding of the matrix entries. The glossary can be found at Addendum 2. Finally, we have included currently existing standards and guidelines mapped to the proposed electronic signature standard. This mapping is not all inclusive and is located at Addendum 3.

F. Selection Criteria

Each individual implementation team weighted the criteria described in section I.B. above, Process for Developing National Standards, in terms of the standard it was addressing. As we assessed security and electronic signatures, it became apparent that while the security standard set forth in § 142.308 and the electronic signature standard set forth in § 142.310 satisfy all the criteria described above, they most strongly address criteria 1, 3, 7, 9, and 10. These criteria are described below in the specific context of these standards.

1. Improve the efficiency and effectiveness of the health care system.

The security and electronic signature standards would be integrated with the electronic transmission of health care information to improve the overall effectiveness of the health care system. This integration would assure that electronic health care information would not be accessible to any unauthorized person or organization, but would be both accurate and available to those who are authorized to receive it.

3. Be consistent and uniform with the other HIPAA standards and, secondly, with other private and public sector health data standards.

The security and electronic signature standards were developed after a comprehensive review of existing standards and guidelines, with significant input by a wide range of industry experts. As indicated in Addendum 3, the standards map well to existing standards and guidelines.

7. Be technologically independent of computer platforms and transmission protocols.

We have defined the security and electronic signature standards in terms of requirements that would allow businesses in the health care industry to select the technology that best meets their business requirements while still allowing them to comply with the standards.

9. Keep data collection and paperwork burdens on users as low as is feasible.

The security and electronic signature standards would allow individual health care industry businesses to ascertain the level of security information that would be needed. The confidentiality level associated with individual data elements concerning health care information would determine the appropriate security application to be used. The security standard would define the requirements to be met to achieve the privacy and confidentiality goal, but each business entity, driven by its business requirements, would decide what techniques and controls would provide appropriate and adequate electronic data protection. This would allow data collection and the paperwork burden to be as low as is feasible.

10. Incorporate flexibility to adapt more easily to changes in the health care infrastructure and information technology.

A technologically neutral security standard would be more adaptable to changes in infrastructure and information technology.

G. Consultations

In the development of the security and electronic signature standards, we consulted with many organizations, including those the legislation requires (section 1172(c)(3)(B) of the Act):

  1. The NCVHS held two days of public hearings on security issues in August 1997, and made a recommendation to the Secretary of HHS, as required by the legislation. The NCVHS recommendation to the Secretary of HHS, as required by the legislation, was for a technologically neutral standard. It identified certain criteria to be established for a health information system to be secure. The proposed security standard complies with the NCVHS security recommendation.
  2. The ANSI Accredited Standards Committee (ASC) X12 subcommittees on communication and control, insurance and government were contacted. Their current standards development effort is focused on messaging rather than on security requirements.
  3. American Society for Testing and Materials (ASTM), Committee E31 on Computerized Systems participated in the security discussions.
  4. Association for Electronic Health Care Transactions (AFEHCT), the clearinghouse organization, provided information on its health care transaction process requirements and emphasized that the security standard must be adaptable to different business needs.
  5. Computer-based Patient Record Institute (CPRI) was consulted because the Work Group on Confidentiality, Privacy and Security is working on the establishment of guidelines, confidentiality agreements, security requirements, and frameworks. CPRI works closely with accredited standards development organizations.
  6. Health Level Seven (HL-7) has been contacted through its participation at the HISB meetings.
  7. NUCC and the NUBC were apprised of the different implementation teams' efforts. NUBC has not addressed security issues at any of the public meetings. NUCC identified a number of issues at its November 18-19 meeting and provided written comments to us.

H. Rules for Security Standards and Electronic Signature Standard

1. Health plans.

a. In § 142.306(a), we would require health plans to accept and apply the security standard to all health care information pertaining to an individual that is electronically maintained or electronically transmitted. Federal agencies and States may place additional requirements on their health plans. In addition, trading partners may mutually agree to implement additional security measures.

b. In § 142.310(a), entities would not be required to use an electronic signature. However, if a plan elects to use an electronic signature in one of the transactions named in the law, it would be required to apply the electronic signature standard described in § 142.310(b) to that transaction. In the future, we anticipate that the standards for other transactions may include requirements for signatures. In particular, the proposed standard for claims attachments, which will be issued in a separate regulations package later, may include signature requirements on some or all of the attachments. If the proposed attachments standard includes such signature requirements, we will address the issue of how to reconcile such requirements with existing State and Federal requirements for written signatures as part of the proposed rule.

2. Health care clearinghouses.

a. We would require in § 142.306(b) that each health care clearinghouse comply with the security standard to ensure all health care information and activities are protected from unauthorized access. If the clearinghouse is part of a larger organization, then security must be imposed to prevent unauthorized access by the larger organization. The security standards apply to all health information pertaining to an individual that is electronically maintained or electronically transmitted.

b. In § 142.310(a), entities would not be required to use an electronic signature. However, if a plan elects to use an electronic signature in one of the transactions named in the law, it would be required to apply the electronic signature standard described in § 142.310(b) to that transaction. In the future, we anticipate that the standards for other transactions may include requirements for signatures. In particular, the proposed standard for claims attachments, which will be issued in a separate regulations package later, may include signature requirements on some or all of the attachments. If the proposed attachments standard includes such signature requirements, we will address the issue of how to reconcile such requirements with existing State and Federal requirements for written signatures as part of the proposed rule.

3. Health care providers.

a. In § 142.306(a), we would require each health care provider to apply the security standard to all health information pertaining to an individual that is electronically maintained or electronically transmitted.

b. In § 142.310(a), entities would not be required to use an electronic signature. However, if a plan elects to use an electronic signature in one of the transactions named in the law, it would be required to apply the electronic signature standard described in § 142.310(b) to that transaction. In the future, we anticipate that the standards for other transactions may include requirements for signatures. In particular, the proposed standard for claims attachments, which will be issued in a separate regulations package later, may include signature requirements on some or all of the attachments. If the proposed attachments standard includes such signature requirements, we will address the issue of how to reconcile such requirements with existing State and Federal requirements for written signatures as part of the proposed rule.

I. Effective Dates

Health plans would be required to comply with the security and electronic signature standards as follows:

  1. Each health plan that is not a small health plan would have to comply with the requirements of §§ 142.306, 142.308, and 142.310 no later than 24 months after publication of the final rule.
  2. Each small health plan would have to comply with the requirements of §§ 142.306, 142.308, and 142.310 no later than 36 months after the date of publication of the final rule.
  3. If the effective date for the electronic transaction standards is later than the effective date for the security standard, implementation of the security standard would not be delayed until the standard transactions are in use. The security standard would still be effective with respect to electronically stored or maintained data. Security of health information would not be solely tied to the standard transactions but would apply to all individual health information electronically stored, maintained, or transmitted.
  4. Under this proposed rule, in some cases, a health plan could choose to convert from paper to standard EDI transactions prior to the effective date of the security standard. We would recommend that the security standard be implemented at that time in order to safeguard the data in those transactions. We invite comments on this issue.

Failure to comply with standards may result in monetary penalties. The Secretary is required by statute to impose penalties of not more than $100 per violation on any person who fails to comply with a standard, except that the total amount imposed on any one person in each calendar year may not exceed $25,000 for violations of one requirement.

We are not proposing any enforcement procedures at this time, but we plan to do so in a future Federal Register document once the industry has some experience with using the standards. These procedures will be in place by the time the standards are implemented by industry. We envision the monitoring and enforcement process as a partnership between the Federal government and the private sector. Some private accreditation bodies have already exhibited interest in certifying compliance with the security requirements as part of their accreditation reviews. Small providers may be able to self-certify through industry-developed checklists. HHS would likely retain the final responsibility for determining violations and imposing the penalties specified by the statute. We welcome comments on this approach.

III. Implementation

If an entity elects to use an electronic signature in a transaction, or if an electronic signature is required by a transaction standard adopted by the Secretary, the entity must apply the electronic signature standard described in § 142.310(b).

How the security standard would be implemented is dependent upon industry trading partner agreements for electronic transmissions. The health care industry would be able to adapt the security matrix to meet its business needs. We propose that the requirements of the security standard be implemented over time. However, we would require implementation to be complete by the applicable effective date. We would encourage, but not require that entities comply with the security standard as soon as practicable, preferably before implementing the transactions standards.

The security standard would supersede contrary provisions of State law including State law requiring medical or health plan records to be maintained or transmitted in other electronic formats. There are certain exceptions when the standards would not supersede contrary provisions of State law; section 1178 identifies those conditions and directs the Secretary to determine whether a particular State provision falls within one or more of the exceptions.

The electronic signature standard (digital signature) would be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the named transactions referred to in the legislation.

Several accreditation organizations such as the Electronic Healthcare Network Accreditation Commission (EHNAC), the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), and the National Committee for Quality Assurance (NCQA), indicate that one of their accreditation requirements will be compliance with the HIPAA security and electronic signature (if applicable) standards.

IV. New and Revised Standards

To encourage innovation and promote development, we plan to establish a process to allow an organization to request a revision or replacement to any adopted standard or standards. An organization could request a revision or replacement to an adopted standard by requesting a waiver from the Secretary of Health and Human Services to test a revised or new standard. The organization would be required, at a minimum, to demonstrate that the revised or new standard offers a clear improvement over the adopted standard. If the organization presents sufficient documentation that supports testing of a revised or new standard, we want to be able to grant the organization a temporary waiver to test while remaining in compliance with the law. We do not intend to establish a process that would allow an organization to avoid using any adopted standard.

We would welcome comments on the following: (1) How we should establish this process, (2) the length of time a proposed standard should be tested before we decide whether to adopt it, (3) whether we should solicit public comments before implementing a change in a standard, and (4) other issues and recommendations we should consider. Comments should be submitted to the addresses presented in the ADDRESSES section of this document.

The following is one possible process:

  • Any organization that wishes to revise or replace an adopted standard would submit its waiver request to an HHS evaluation committee (to be established or defined). The organization would do the following for each standard it wishes to revise or replace:
    • Provide a detailed explanation, no more than 10 pages, of how the revision or replacement would be a clear improvement over the current standard.
    • Provide specifications and technical capabilities on the revised or new standard, including any additional system requirements.
    • Provide an explanation, no more than five pages, of how the organization intends to test the standard.
  • The committee’s evaluation would, at a minimum, be based on the following:
    • A cost-benefit analysis.
    • An assessment of whether the proposed revision or replacement demonstrates a clear improvement to an existing standard.
    • The extent and length of time of the waiver.
  • The evaluation committee would inform the organization requesting the waiver within 30 working days of the committee’s decision on the waiver request. If the committee decides to grant a waiver, the notification may include the following:
    • Committee comments such as the following:
      • The length of time for which the waiver applies if it differs from the waiver request.
      • The sites the committee believes are appropriate for testing if they differ from the waiver request.
      • Any pertinent information regarding the conditions of an approved waiver.
  • Any organization that receives a waiver would be required to submit a report containing the results of the study, no later than 3 months after the study is completed.
  • The committee would evaluate the report and determine whether the benefits of the proposed revision or new standard significantly outweigh the disadvantages of implementing it and make a recommendation to the Secretary.

V. Response to Comments

Because of the large number of items of correspondence we normally receive on Federal Register documents published for comment, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the "DATES" section of this preamble, and, if we proceed with a subsequent document, we will respond to the major comments in the preamble of that document.