Coping with Electronic Records

Setting Standards for Private Sector E-records Retention

Agenda E-SIGN records retention

requirements Where to begin Developing performance standards Approaches and examples

E-SIGN’s E-records Provisions

Electronic Signatures in Global and National Commerce Act (E-Sign) P.L. 106-229

Use of e-signatures and e-records in Interstate and foreign consumer, commercial or

business transactions E-signature provisions

Effective on October 1, 2000 E-record retention provisions

Effective March 1, 2001 Can be postponed until June 1, 2001 if regulations

are “announced, proposed, or initiated” by March 1, 2001

E-SIGN Record Retention Standards Records retention requirements for private

entities can be met with electronic records States can promulgated performance

standards To assure records’ accuracy, integrity, and

accessibility Need not be technology neutral if they:

Serve an important governmental objective Substantially related to the achievement of

that objective

E-SIGN Record Retention Standards

States can require retention of a record in a “tangible printed or paper form” if: Compelling government interest

related to law enforcement national security and such requirement is essential to

attaining such interest

Time Frames March 1, 2001

E-Sign allows private parties to use e-records to satisfy retention requirements

Date can be postponed to June 1, 2001 If an agency announces or initiates e-

records retention performance standards by March 1, 2001

Where to begin?

Where to Begin? Review and evaluate existing record

retention and management requirements What are they based on (law, regulation,

policy)? Are the requirements necessary to perform

agency functions? What is the extent of the agency’s authority? What are the agency’s regulatory needs and

goals Audit Consumer protection and oversight Protection of state interests

Where to Begin?

Evaluate the agency’s ability to review and analyze regulated parties’ e-records Do you have the technical capability

to handle e-records? Does your staff have the necessary

skill?

Where to begin? Reach out to regulated parties to discuss e-

record formats that meet their and the agency’s needs What are the capabilities of the regulated

parties? Do standards and best practices already exist?

Decide if regulations are the appropriate approach or guidelines will suffice Base on factors specific to your state

As needed, announce or initiate e-record retention rulemaking by March 1, 2001

Developing Standards

Developing standards Focus on your desired outcomes and

critical points Receiving, Capturing and Creating E-

Records Maintaining Accessible, Authentic, and

Complete E-Records

Maintaining Secure, Reliable and Trustworthy E-Records Systems

Receiving, Capturing and Creating E-Records Creation or capture of adequate

records Standards for record’s structure, content, and

format Procedures and processes for the receipt,

creation, processing, and filing of e-records Authenticated and identified records

Measures or standards to authenticate senders and determine the integrity of e-record

Measures or standards for secure transmission and processing of e-records

Maintaining Accessible, Authentic, and Complete E-Records Integrity of e-records

Information management standards Standards for controlled storage or filing systems to

ensure e-records’ integrity and accessibility Retain in an accessible form for

legal retention periods Search and retrieval standards Retention standards

Produce and supply authentic copies in useable formats including hard copy

Maintaining Secure, Reliable and Trustworthy E-Records Systems

System performs in an accurate, reliable, and consistent manner Standards for system management

policies and procedures System performance tests Audit trails of system activity

Maintaining Secure, Reliable and Trustworthy E-Records Systems

Protect e-records to enable their accurate and ready retrieval Standards and controls for the

accuracy and timeliness of input/output

Media controls and standards Backup standards

Maintaining Secure, Reliable and Trustworthy E-Records Systems

Limit system access to authorized individuals for authorized purposes System security policy and program Physical, environmental, security

controls   Identification and authentication

standards Access control standards

Approaches and Examples

Approaches Detailed regulations

Include both outcomes and specific implementations in regulations

Outcome focused regulation Limited but targeted regulations Limited regulations supported by

specific guidelines

Example - Detailed regulations

HIPAA Security Standards 45 CFR Part 142 Administrative Procedures - to establish and

enforce security policies Physical Safeguards - to protect physical

computer systems, buildings and equipment from hazards and intrusions

Technical Security Services - to protect, control and monitor access to data

Technical Security Mechanisms - to protect and restrict access to data transmitted over a network

Technical Security Services To Guard Data Integrity, Confidentiality, and Availability ------------------------------------------------------------------------ Requirement Implementation ------------------------------------------------------------------------ Access control (The following Context-based access. implementation feature must be Encryption. implemented: Procedure for emergency Procedure for emergency access. access. In addition, at least one of Role-based access. the following three implementation User-based access. features must be implemented: Context- based access, Roll-based access, User- based access. The use of Encryption is optional). Audit controls Authorization Control (At least one of Role-based access. the listed implementation features User-based access must be implemented). Data Authentication Entity Authentication (The following Automatic logoff. implementation features must be Biometric. implemented: Automatic logoff, Unique Password. user identification. In addition, at PIN. least one of the other listed Telephone callback. implementation features must be Token. implemented). Unique user identification. ------------------------------------------------------------------------

Approaches – Outcome focused regulations

FDA 21 CFR Part 11 Electronic Records Controls for closed systems

Validation of systems to ensure accuracy, reliability, consistent performance

Ability to conclusively discern invalid or altered records. Ability to generate true copies of records in both human

readable and electronic form Suitable for inspection, review, and copying by the agency

Protection of records to enable their accurate and ready retrieval throughout the records retention period

Limiting system access to authorized individuals

Approaches – Outcome focused regulations Controls for closed systems (cont.)

Use of time stamped audit trails to document record changes

Record changes don’t obscure previously recorded information.

Audit trail documentation retained for as long as the subject e-records and are available for agency review and copying

Use of operational checks, authority checks, device (e.g., terminal) location checks

Confirmation that system staff have the education, training, and experience to perform their assigned tasks

Written policies which hold individuals accountable and liable for actions initiated under their electronic signatures

Use of appropriate systems documentation controls

Example – Targeted regulations Minnesota Dept. of Health Nursing Homes Chap.

4658 Use an electronic health information system: Policies and procedures for password protection Contractor must maintain the confidentiality of all

information Audit trails for the source and date of all entries and

deletions Backup systems must be implemented and maintained Preventative maintenance of system Plan for preparing, securing, and retaining archived of data Procedures for preparing and securing daily, weekly, and

monthly archived copies of data Protection from unauthorized use of active and archived

records

Example – Limited regulations

Minnesota Dentistry Board Chapter 3100 Subp. 14. Electronic recordkeeping

The requirements that apply to paper records apply to electronic recordkeeping

When electronic records are kept, a dentist must keep either a duplicate hard copy record or use an unalterable electronic record.

Conclusion

Focus on Regulatory goals and desired recordkeeping

outcomes Processes and systems

Utilize accepted and implementable standards Use regulations to regulate and guidelines to

assist Stay current and periodically revisit

regulations and guidelines Communicate with the regulated community