eSignature Analysis

Good Recent Resources

• Office of The National Coordinator
• Delegated Signing Authority: http://wiki.siframework.org/AoR+SWG+3+-+Digital+Signatures+%26+Delegation+of+Rights
• Identity Proofing (Non-repudiation): http://wiki.siframework.org/AoR+SWG+2+-+Identity+Proofing
• Digital Credentials (Non-repudiation): http://wiki.siframework.org/AoR+SWG+1+-+Digital+Credentials

Research

• 2007 Interoperable Digital Identity Management in the Electronic Exchange of Health Information
  http://www.safe-biopharma.org/infocenter/a-interoperable%20digital%20id%20managment%20report.pdf
• 2007 Study Report on Biometrics in E-Authentication https://standards.incits.org/apps/group_public/download.php/24528/m1070185rev.pdf

o   Hawaii has adopted UETA for its state law (this is good)

§  http://www.capitol.hawaii.gov/hrscurrent/vol11_Ch0476-0490/hrs0489e/HRS_0489E-.htm

o   Best Source (http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_045546.hcsp?dDocName=bok1_045546)

o   Guidance that a customer used for their 2005  eSignature implementation

§  How eSignature should be captured

·         The “electronic impulse” that indicates consent (21 CFR Part11) needs to be

o   unique to individual (21 CFR Part11)

o   exclusive control of individual (21 CFR Part11)

o   in view of entire contract (scroll bars were strongly advised against)

§  How eSignature should be stored

·         “electronic impulse” that indicates consent (21 CFR Part11)
Pontification Alert:  Many opinions could be discussed on this, but ultimately the opinion of the attorney  or corporate counsel potentially defending the repudiation challenge is the one that counts.

·         Reproducible view of what signor saw when they “eSigned”
***A copy of what the signor saw is preferable

·         Name of the Signer

·         Date and time of signature

·         Tamper evident hash

o   Considerations

§  Not every “electronic impulse” that indicates consent (21 CFR Part11) is equally “unique” to an individual or practical.