Agenda E-SIGN records retention
requirements Where to begin Developing performance standards Approaches and examples
Electronic Signatures in Global and National Commerce Act (E-Sign) P.L. 106-229
Use of e-signatures and e-records in Interstate and foreign consumer, commercial or
business transactions E-signature provisions
Effective on October 1, 2000 E-record retention provisions
Effective March 1, 2001 Can be postponed until June 1, 2001 if regulations
are “announced, proposed, or initiated” by March 1, 2001
E-SIGN Record Retention Standards Records retention requirements for private
entities can be met with electronic records States can promulgated performance
standards To assure records’ accuracy, integrity, and
accessibility Need not be technology neutral if they:
Serve an important governmental objective Substantially related to the achievement of
that objective
E-SIGN Record Retention Standards
States can require retention of a record in a “tangible printed or paper form” if: Compelling government interest
related to law enforcement national security and such requirement is essential to
attaining such interest
Time Frames March 1, 2001
E-Sign allows private parties to use e-records to satisfy retention requirements
Date can be postponed to June 1, 2001 If an agency announces or initiates e-
records retention performance standards by March 1, 2001
Where to Begin? Review and evaluate existing record
retention and management requirements What are they based on (law, regulation,
policy)? Are the requirements necessary to perform
agency functions? What is the extent of the agency’s authority? What are the agency’s regulatory needs and
goals Audit Consumer protection and oversight Protection of state interests
Where to Begin?
Evaluate the agency’s ability to review and analyze regulated parties’ e-records Do you have the technical capability
to handle e-records? Does your staff have the necessary
skill?
Where to begin? Reach out to regulated parties to discuss e-
record formats that meet their and the agency’s needs What are the capabilities of the regulated
parties? Do standards and best practices already exist?
Decide if regulations are the appropriate approach or guidelines will suffice Base on factors specific to your state
As needed, announce or initiate e-record retention rulemaking by March 1, 2001
Developing standards Focus on your desired outcomes and
critical points Receiving, Capturing and Creating E-
Records Maintaining Accessible, Authentic, and
Complete E-Records
Maintaining Secure, Reliable and Trustworthy E-Records Systems
Receiving, Capturing and Creating E-Records Creation or capture of adequate
records Standards for record’s structure, content, and
format Procedures and processes for the receipt,
creation, processing, and filing of e-records Authenticated and identified records
Measures or standards to authenticate senders and determine the integrity of e-record
Measures or standards for secure transmission and processing of e-records
Maintaining Accessible, Authentic, and Complete E-Records Integrity of e-records
Information management standards Standards for controlled storage or filing systems to
ensure e-records’ integrity and accessibility Retain in an accessible form for
legal retention periods Search and retrieval standards Retention standards
Produce and supply authentic copies in useable formats including hard copy
Maintaining Secure, Reliable and Trustworthy E-Records Systems
System performs in an accurate, reliable, and consistent manner Standards for system management
policies and procedures System performance tests Audit trails of system activity
Maintaining Secure, Reliable and Trustworthy E-Records Systems
Protect e-records to enable their accurate and ready retrieval Standards and controls for the
accuracy and timeliness of input/output
Media controls and standards Backup standards
Maintaining Secure, Reliable and Trustworthy E-Records Systems
Limit system access to authorized individuals for authorized purposes System security policy and program Physical, environmental, security
controls Identification and authentication
standards Access control standards
Approaches Detailed regulations
Include both outcomes and specific implementations in regulations
Outcome focused regulation Limited but targeted regulations Limited regulations supported by
specific guidelines
Example - Detailed regulations
HIPAA Security Standards 45 CFR Part 142 Administrative Procedures - to establish and
enforce security policies Physical Safeguards - to protect physical
computer systems, buildings and equipment from hazards and intrusions
Technical Security Services - to protect, control and monitor access to data
Technical Security Mechanisms - to protect and restrict access to data transmitted over a network
Technical Security Services To Guard Data Integrity, Confidentiality, and Availability ------------------------------------------------------------------------ Requirement Implementation ------------------------------------------------------------------------ Access control (The following Context-based access. implementation feature must be Encryption. implemented: Procedure for emergency Procedure for emergency access. access. In addition, at least one of Role-based access. the following three implementation User-based access. features must be implemented: Context- based access, Roll-based access, User- based access. The use of Encryption is optional). Audit controls Authorization Control (At least one of Role-based access. the listed implementation features User-based access must be implemented). Data Authentication Entity Authentication (The following Automatic logoff. implementation features must be Biometric. implemented: Automatic logoff, Unique Password. user identification. In addition, at PIN. least one of the other listed Telephone callback. implementation features must be Token. implemented). Unique user identification. ------------------------------------------------------------------------
Approaches – Outcome focused regulations
FDA 21 CFR Part 11 Electronic Records Controls for closed systems
Validation of systems to ensure accuracy, reliability, consistent performance
Ability to conclusively discern invalid or altered records. Ability to generate true copies of records in both human
readable and electronic form Suitable for inspection, review, and copying by the agency
Protection of records to enable their accurate and ready retrieval throughout the records retention period
Limiting system access to authorized individuals
Approaches – Outcome focused regulations Controls for closed systems (cont.)
Use of time stamped audit trails to document record changes
Record changes don’t obscure previously recorded information.
Audit trail documentation retained for as long as the subject e-records and are available for agency review and copying
Use of operational checks, authority checks, device (e.g., terminal) location checks
Confirmation that system staff have the education, training, and experience to perform their assigned tasks
Written policies which hold individuals accountable and liable for actions initiated under their electronic signatures
Use of appropriate systems documentation controls
Example – Targeted regulations Minnesota Dept. of Health Nursing Homes Chap.
4658 Use an electronic health information system: Policies and procedures for password protection Contractor must maintain the confidentiality of all
information Audit trails for the source and date of all entries and
deletions Backup systems must be implemented and maintained Preventative maintenance of system Plan for preparing, securing, and retaining archived of data Procedures for preparing and securing daily, weekly, and
monthly archived copies of data Protection from unauthorized use of active and archived
records
Example – Limited regulations
Minnesota Dentistry Board Chapter 3100 Subp. 14. Electronic recordkeeping
The requirements that apply to paper records apply to electronic recordkeeping
When electronic records are kept, a dentist must keep either a duplicate hard copy record or use an unalterable electronic record.