Coping with Electronic Records Setting Standards for Private Sector E-records Retention

Agenda E-SIGN records retention requirements Where to begin Developing performance standards Approaches and examples

E-SIGN’s E-records Provisions

Electronic Signatures in Global and National Commerce Act (E-Sign) P.L Use of e-signatures and e-records in Interstate and foreign consumer, commercial or business transactions E-signature provisions Effective on October 1, 2000 E-record retention provisions Effective March 1, 2001 Can be postponed until June 1, 2001 if regulations are “announced, proposed, or initiated” by March 1, 2001

E-SIGN Record Retention Standards Records retention requirements for private entities can be met with electronic records States can promulgated performance standards To assure records’ accuracy, integrity, and accessibility Need not be technology neutral if they: Serve an important governmental objective Substantially related to the achievement of that objective

E-SIGN Record Retention Standards States can require retention of a record in a “tangible printed or paper form” if: Compelling government interest related to law enforcement national security and such requirement is essential to attaining such interest

Time Frames March 1, 2001 E-Sign allows private parties to use e-records to satisfy retention requirements Date can be postponed to June 1, 2001 If an agency announces or initiates e-records retention performance standards by March 1, 2001

Where to begin?

Where to Begin? Review and evaluate existing record retention and management requirements What are they based on (law, regulation, policy)? Are the requirements necessary to perform agency functions? What is the extent of the agency’s authority? What are the agency’s regulatory needs and goals Audit Consumer protection and oversight Protection of state interests

Where to Begin? Evaluate the agency’s ability to review and analyze regulated parties’ e-records Do you have the technical capability to handle e-records? Does your staff have the necessary skill?

Where to begin? Reach out to regulated parties to discuss e- record formats that meet their and the agency’s needs What are the capabilities of the regulated parties? Do standards and best practices already exist? Decide if regulations are the appropriate approach or guidelines will suffice Base on factors specific to your state As needed, announce or initiate e-record retention rulemaking by March 1, 2001

Developing Standards

Developing standards Focus on your desired outcomes and critical points Receiving, Capturing and Creating E-Records Maintaining Accessible, Authentic, and Complete E-Records Maintaining Secure, Reliable and Trustworthy E- Records Systems

Receiving, Capturing and Creating E-Records Creation or capture of adequate records Standards for record’s structure, content, and format Procedures and processes for the receipt, creation, processing, and filing of e-records Authenticated and identified records Measures or standards to authenticate senders and determine the integrity of e-record Measures or standards for secure transmission and processing of e-records

Maintaining Accessible, Authentic, and Complete E-Records Integrity of e-records Information management standards Standards for controlled storage or filing systems to ensure e-records’ integrity and accessibility Retain in an accessible form for legal retention periods Search and retrieval standards Retention standards Produce and supply authentic copies in useable formats including hard copy

Maintaining Secure, Reliable and Trustworthy E-Records Systems System performs in an accurate, reliable, and consistent manner Standards for system management policies and procedures System performance tests Audit trails of system activity

Maintaining Secure, Reliable and Trustworthy E-Records Systems Protect e-records to enable their accurate and ready retrieval Standards and controls for the accuracy and timeliness of input/output Media controls and standards Backup standards

Maintaining Secure, Reliable and Trustworthy E-Records Systems Limit system access to authorized individuals for authorized purposes System security policy and program Physical, environmental, security controls Identification and authentication standards Access control standards

Approaches and Examples

Approaches Detailed regulations Include both outcomes and specific implementations in regulations Outcome focused regulation Limited but targeted regulations Limited regulations supported by specific guidelines

Example - Detailed regulations HIPAA Security Standards 45 CFR Part 142 Administrative Procedures - to establish and enforce security policies Physical Safeguards - to protect physical computer systems, buildings and equipment from hazards and intrusions Technical Security Services - to protect, control and monitor access to data Technical Security Mechanisms - to protect and restrict access to data transmitted over a network

Approaches – Outcome focused regulations FDA 21 CFR Part 11 Electronic Records Controls for closed systems Validation of systems to ensure accuracy, reliability, consistent performance Ability to conclusively discern invalid or altered records. Ability to generate true copies of records in both human readable and electronic form Suitable for inspection, review, and copying by the agency Protection of records to enable their accurate and ready retrieval throughout the records retention period Limiting system access to authorized individuals

Approaches – Outcome focused regulations Controls for closed systems (cont.) Use of time stamped audit trails to document record changes Record changes don’t obscure previously recorded information. Audit trail documentation retained for as long as the subject e- records and are available for agency review and copying Use of operational checks, authority checks, device (e.g., terminal) location checks Confirmation that system staff have the education, training, and experience to perform their assigned tasks Written policies which hold individuals accountable and liable for actions initiated under their electronic signatures Use of appropriate systems documentation controls

Example – Targeted regulations Minnesota Dept. of Health Nursing Homes Chap Use an electronic health information system: Policies and procedures for password protection Contractor must maintain the confidentiality of all information Audit trails for the source and date of all entries and deletions Backup systems must be implemented and maintained Preventative maintenance of system Plan for preparing, securing, and retaining archived of data Procedures for preparing and securing daily, weekly, and monthly archived copies of data Protection from unauthorized use of active and archived records

Example – Limited regulations Minnesota Dentistry Board Chapter 3100 Subp. 14. Electronic recordkeeping The requirements that apply to paper records apply to electronic recordkeeping When electronic records are kept, a dentist must keep either a duplicate hard copy record or use an unalterable electronic record.

Conclusion Focus on Regulatory goals and desired recordkeeping outcomes Processes and systems Utilize accepted and implementable standards Use regulations to regulate and guidelines to assist Stay current and periodically revisit regulations and guidelines Communicate with the regulated community