Home

Questions and Issues

Implementation Outline

HIPAA Penalties

Regulations

§ 142.310 Electronic signature standard.

(a) General rule.

If an entity elects to use an electronic signature in a transaction as defined in § 142.103, or if an electronic signature is required by a transaction standard adopted by the Secretary, the entity must apply the electronic signature standard described in paragraph (b) of this section to that transaction.

(b) Standard.

(1) An electronic signature is the attribute affixed to an electronic document to bind it to a particular entity. An electronic signature secures the user authentication (proof of claimed identity) at the time the signature is generated; creates the logical manifestation of signature (including the possibility for multiple parties to sign a document and have the order of application recognized and proven); supplies additional information such as time stamp and signature purpose specific to that user; and ensures the integrity of the signed document to enable transportability of data, interoperability, independent verifiability, and continuity of signature capability. Verifying a signature on a document verifies the integrity of the document and associated attributes and verifies the identity of the signer.

(2) The standard for electronic signature is a digital signature. A "digital signature" is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters so that the identity of the signer and the integrity of the data can be verified.

(c) Required implementation features.

If an entity uses electronic signatures, the signature method must assure all of the following features:

(1) Message integrity (the assurance of unaltered transmission and receipt of a message from the sender to the intended recipient).

(2) Nonrepudiation (strong and substantial evidence of the identity of the signer of a message, and of message integrity, sufficient to prevent a party from successfully denying the origin, submission, or delivery of the message and the integrity of its contents).

(3) User authentication (the provision of assurance of the claimed identity of an entity).

(d) Optional implementation features.

If an entity uses electronic signatures, the entity may also use, among others, any of the following implementation features:

(1) Ability to add attributes (one possible capability of a digital signature technology; for example, the ability to add a time stamp as part of a digital signature).

(2) Continuity of signature capability (the concept that the public verification of a signature must not compromise the ability of the signer to apply additional secure signatures at a later date).

(3) Countersignatures. (The capability to prove the order of application of signatures. This is analogous to the normal business practice of countersignatures, where a party signs a document that has already been signed by another party.)

(4) Independent verifiability (the capability to verify the signature without the cooperation of the signer).

(5) Interoperability (the applications used on either side of a communication, between trading partners and/or between internal components of an entity, are able to read and correctly interpret the information communicated from one to the other).

(6) Multiple signatures. (With this feature, multiple parties are able to sign a document. Conceptually, multiple signatures are simply appended to the document.)

(7) Transportability of data (the ability of a signed document to be transported over an insecure network to another system, while maintaining the integrity of the document, including content, signatures, signature attributes, and (if present) document attributes).