So why does the digital nature of e-signature technology still remain an obstacle to many healthcare organizations? It comes down to mitigating risk and to making sure that personal health information and other sensitive materials are kept safe and secure.
In cyberspace, there are no personal relationships. Digital code doesn’t discern whether a person trying to access an online medical document is a patient of 20 years or a stranger with ulterior motives.
Thus, the process of proving that people are who they say they are online – called identity authentication – must not be undervalued. And there are many different types of authentication to consider when using e-signatures.
Email verification is identity authentication in its simplest form. With this method, a person must access his or her email and click a link to access the digital documents. The assumption is that since the person successfully gained entry into the correct email account, he or she is the person for whom the documents are intended.
This level of verification offers the lowest level of security for identity authentication. So when sensitive information exists in the document, email verification may be a first step for authentication, but it’s usually not the only step, as it works best in combination with other methods.
Short message service (SMS), or text message, authentication validates a signer by requiring the person to submit a one-time PIN code he or she received via a text message. The codes are unique and random for each user with each access attempt.
Shared secret questions
For additional security strength, users can require signers to answer personal questions once they access the portal link via email. These questions are based on information known by the signer and the end user, such as an account or identification number, or supplied by the signer to the end user, such as a mother’s maiden name. The shared questions are not widely known outside of the signer and the user.
Know your customer
The contents of some documents mandate more security. With know your customer (KYC) authentication, signers are prompted to supply their Social Security number (SSN) and date of birth (DOB). If the SSN is valid and matches with the DOB, the user is verified. This can also be used in conjunction with shared secret questions to add extra protection.
Knowledge-based authentication (KBA) goes one step further. Like KYC, KBA requires the correct SSN and DOB before accessing documents. But once that information matches, signers must answer four multiple choice questions. Unlike shared questions, which can be any question known by both the sender and the signer, KBA authentication requires signers to answer questions based on information found within 30 years of public data records.
Signers may be asked specifics about property and vehicle ownership, telephone and address history, pet vaccinations or other information. All of the questions would be extremely difficult for someone other than the signer to know, as the information would be difficult to quickly source online or in someone’s wallet. Typically, there’s also a limit to the number of times that a person can attempt to answer the questions, further enforcing a higher level of security.
Authentication in light of regulatory compliance
While HIPAA doesn’t outline specific rules for electronic signatures, the law does require covered entities to verify that a person seeking access to PHI has the authorization to do so. The spirit of the law points to the need for more than one method of authorization – or multi-factor authentication.
Multi-factor authentication occurs when at least two identity authentication methods are used in combination. So, for example, a patient signing a procedural waiver online may first log in via email, click a link to access the e-signing portal and then answer KBA questions. Only when those challenges have been passed, can he or she sign the waiver.
This multi-factor approach is necessary for other areas of healthcare industry compliance. For instance, the DEA requires at least two-factor authentication before a physician can sign a prescription for controlled substances. And it’s becoming more common among other healthcare providers. According to a brief from the Office of the National Coordinator for Health Information Technology, adoption of two-factor authentication among non-federal acute care hospitals has increased by 53% since 2010.
With high-stakes transactions and documents that contain personal information, healthcare providers would be wise to consider KBA and SMS authentication. For basic agreements that don’t hold any personal, medical or financial information, it may be more appropriate to simply use email authentication and keep e-signing processes as simple as possible.
The key is to always consider the right strategy for the transaction at hand – remembering that in the healthcare industry, allowing the wrong eyes on data could result in multi-million dollar fines.