National Information Management Conference and Exposition Thursday, April 23, 2009

Transcription

1 National Information Management Conference and Exposition Thursday, April 23, 2009 Update on Policy Developments for Electronic Signature Recognition for Chart Audits Denise Blair - Chief Information Officer, DMH Carol Sakai, LCSW - Chief, Medi-Cal Oversight, South, DMH Electronic Signatures and Electronically Signed Records Definitions of an Electronic Signature and Electronically Signed Records Standards for an Electronic Signature and e-signed records Information Security Considerations Obtaining consumer signatures Health Insurance Portability and Accountability Act (HIPAA) compliance DMH Audit Requirements 1

2 Electronic Signature - Definition Federal Law defines an electronic signature as: An electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with an intent to sign the record California Law defines a digital signature as: an electronic identifier, created by computer, intended by the party using it to have the same force and effect as the use of a manual signature. 15 USC 7006 California Government Code Section 16.5 (d) Electronically Signed Record An electronically signed record is a financial, program, or medical record that: (1) is required to be signed under California or Federal laws and regulations, or organizational policy or procedure and (2) May be requested during an audit by a DMH auditor or a DMH audit contractor. 2

3 Standards for Electronic Signatures in Electronically Signed Records DMH approves the use of electronic signatures in electronically signed records as equivalent to a manual signature affixed by hand. The electronic signature should meet the following requirements: 1) Electronic Signature Mechanism must be: Unique to the individual and under signer s sole control Capable of being verified and Can detect if data has been changed after signature was applied 2) Computer systems must comply with: Certification Commission for Healthcare Information Technology (CCHIT) certification criteria or equivalent: Security: Access control, Security: Audit and Security: Authentication Standards for Electronic Signatures in Electronically Signed Records 3) Counties must maintain: An Electronic Signature Agreement for the terms of use of an electronic signature signed by both the individual requesting e-sign authorization AND the county Mental Health director or designee. 4) County Mental Health Directors must complete: An Electronic Signature Certification form (this certifies that the electronic systems used by the county s mental health operations, including contract providers, meet the criteria standards.) 3

4 Standards for Electronic Signatures in Electronically Signed Records 5) The Signed Electronic Signature Certification and signed Electronic Signature Agreements from county employees and contract providers are made available to the DMH auditor at the time of an audit. California Government Code 16.5 (a) California Government Code 16.5 (d) California Code of Regulations Information Security Considerations DMH Standards do not require encryption. Counties are still responsible for taking appropriate security measures to safeguard the contents of Electronic Records and complying with: W&IC 5328 Confidentiality of Medical Information Act California Government Code 6254 All applicable state and federal laws and regulations. 4

5 Role of the MHP Under these standards, Mental Health Plans (MHPs) may set additional restrictions or requirements beyond what is presented in the DMH Letter 08-10, provided those restrictions or requirements meet the minimum requirements stated above and are consistent with applicable state and federal laws and regulations. MHPs are responsible for identifying laws and regulations that may apply to restrictions or requirements they set. MHPs may use any of the following for obtaining Consumer Signatures Scanning paper consent documents, treatment plans or other medical record documents containing consumer signatures To document participation in and acceptance of the treatment plan. Capturing signature images from a signature pad Recording biometric information (i.e., fingerprint scanning) Entering authenication information known only to the consumer or authorized representative, for example, passwords or Personal Identification Numbers (PIN) If a consumer signature is not available, an electronically signed explanation must be provided by the county mental health director or designee. 5

6 Health Insurance Portability and Accountability Act (HIPAA) Compliance In addition to complying with the current standards of DMH Letter No.:08-10, MHPs and their contract providers that manage consumer mental health information should be in full compliance with all applicable HIPAA security standards. Future HIPAA electronic signature regulations will require MHP s to be in full compliance with timelines and other requirements established by the federal government. DMH Audit Requirements for Electronically Signed Records Physical access to electronic health record systems Adequate computer access to the electronic health records needed for the audit review System or network access to the electronic records such as user IDs and passwords Access to printers and capability to print necessary documents Technical assistance as required Scanned documents, if needed, that are readable and complete 6

7 Example Forms Enclosures from DMH Letter Electronic Signature Agreement County Mental Health Directors Electronic Signature Certification 7