Electronic Signature Model Policy Template
Download Free Electronic Signature Model Policy
The policy includes reference to the conditions under which an individual is required or given permission to participate in the e-signature process.
a. Confidentiality and Security
Participant identification: those authorized to affix an electronic signature will be limited to those identified by policy, such as treating physicians, other clinicians, ancillary healthcare staff, and clinical residents and students involved in patient care requiring record documentation and/or review and approval of documentation in the health record. Authorized titles are documented in medical staff bylaws or rules and regulations and organizational policies and procedures.
Security: robust organization security technological safeguards create the foundation of the e-signature functional design. Technology benefits to fortify the reliability of e-signature functions are carefully selected and updated as technology advances. Under no circumstances may users provide any other person including physician office staff, other physicians, or family members (e.g., patient or witness users) access to user ID, PIN, or e-signature functionality. All users of electronic signatures must comply with confidentiality requirements outlined in the facility-wide policies on confidentiality and security of health information. Any security breach, such as problems with passwords, two-factor, multifactor, or biometric authentication, and access ID codes and PINs must be promptly dealt with and changed if they are suspected or known to have been compromised.
System authentication: a unique ID number, code, password, or other measure such as fingerprint or voice activation code should be used to identify each authorized user. This ID, code, or password should be confidential, known only to the user, and adequately complex by security best practices and organization policy.
Participant agreement: each e-signer is required to complete a participation agreement attesting to be the only person with access to the identifier, code, password, or PIN with commitment to safekeeping of user information. The agreement provides acknowledgment of and user intention to uphold organization policies and practices for a properly executed e-signature process. Retention responsibilities for the completed agreements and signing frequency practices are described; for example, requiring that a provider signs an initial agreement prior to first use, with annual agreement renewal thereafter. The agreement can be retained by the health information management department, medical staff office in physician profiles, or human resources department in employee files.
b. Compliance Monitoring
The policy designates requirements for planned compliance monitoring in the form of ongoing or periodic audits to measure participant alignment with policy and procedure expectations and detect inappropriate e-signature practices whether from ignorance, negligence, or overt policy abuse.
Unannounced ongoing audits should be part of the organization's performance improvement program. The approach includes a check-the-checker provision, one that recognizes the accuracy of the evaluator should also be checked periodically.
More frequent back-end compliance monitoring with larger sample size may be needed to offset front-end technology limitations in order to adequately measure compliance.
c. Enforcement/Disciplinary Action
The policy identifies alignment with the organization's existing enforcement and disciplinary policies.
The enforcement and sanctioning models adopted are administered in a fair, consistent, and objective manner.
Any individual who makes inappropriate or illegal use of electronic signatures or records is subject to policy enforcement and disciplinary sanctions. Sanctions, based upon the signatory's relationship with the healthcare facility, may include professional review, suspension, revocation of privileges, termination of employment, and criminal prosecution.
Inappropriate or illegal use includes, but is not limited to, anyone who discloses his or her PIN or ID number, code, or password to others, and anyone using a PIN or ID number, code, or password without authorization.
A tiered sanctions approach to inappropriate participant actions is recommended.
Please refer to AHIMA's practice brief "Sanction Guidelines for Privacy and Security Breaches."