Caselaw: When Bad Security Makes for Invalid Electronic Signatures

Signatures are essential - as in, legally required - for many healthcare records, among them medical records, drug orders and prescriptions. Failure to sign violates licensing and frequently other state law provisions, and in some cases federal requirements and accreditation standards.Federal and state laws - E-SIGN and the Uniform Electronic Transactions Act (UETA, adopted in almost all states) also permit electronic signatures, and these have become a standard part of electronic health record (EHR) and electronic prescribing (e-Rx) systems.

Neither E-SIGN nor UETA specify the technologies which are acceptable as electronic signatures, but instead leave it up to the agreement of the parties. As a matter of law, then, an electrronic signature is any "electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." For example, when you download a new application you are usually confronted with several pages of license agreement and a "click to accept" button, or something similar. When you click the button, you are executing an electronic process (the results of the click) logically associated with a record (the license agreement) with intent to sign (implied by the fact that you clicked after being asked if you accept the license agreement). From a legal point of view, you have just electronically signed the license agreement.

As you can imagine, this open standard creates many opportunities for error and fraud. You could click to accept without intending to, just because you're fumble-fingered. (This is why double-click is often better solution.) Somebody else could log on to your account, or create an account using your information, and "sign" records in your name - for example, bank transfer authorizations. And so on.

The security of the process used to create an electronic signature is therefore essential to its reliability, and both E-SIGN and UETA have provisions allowing an electronic signature's validity to be proven by evidence of the "efficacy" of the security of the process. Conversely, "bad" security may be grounds to contest an electronic signature, and even have it thrown out.

This recently happened in a Kansas federal district court case, Kerr v. Dillard Store Services. The record there was an arbitration agreement potentially applicable to the plaintiff's discrimination claim against her employer.In Kerr, the employer required employees "to memorialize their arbitration agreements by executing electronic arbitration agreements
through an intranet computer system." The signature process was as follows:

To access the intranet each associate had a unique, confidential password that was created by and known only to the associate. Executing the agreement to arbitrate required the associate to (1) enter his or her social security number or associate identification number (AIN); (2) enter his or her secure password and; (3) click the “accept” option at the bottom of the arbitration agreement screen.

The execution transaction was confirmed by an email to the employee. All in all, a pretty standard electronic signature process, better than many, in my experience.

Dillard, the employer, tried to hold employee Kerr to the online arbitration agreement it claimed she had signed. However, the plaintiff claimed she never executed this process, and the burden of proof was on the employer. The court found for Kerr, reasoning that:

The problem with Dillard’s position is that it did not have adequate procedures to maintain the security of intranet passwords, to restrict authorized access to the screen which permitted electronic execution of the arbitration agreement, to determine whether electronic signatures were genuine or to determine who opened individual emails. . . . Therefore, it is not inconceivable Champlin [the store secretary] or a supervisor logged on to plaintiff’s account and executed the agreement. . . . Dillard’s has not demonstrated the efficacy of its security procedures with regard to electronic signature. . . . On this record, the Court cannot find that it is more likely than not true that plaintiff executed the electronic agreement to arbitrate.

While Kerr is not legally binding authority, as an unpublished district court decision, it does demonstrate the pitfalls of bad security for electronic signature processes as well. Healthcare organizations, which depend on signed records for essential functions associated with some of their most significant liabilities, might do well to consider how their solutions would look in court.

Red Flag Rule Board Consent and Policy

If you've surfed this site, you know that one of my tenets is that we're all generally better off sharing key policies - it improves our overall knowledge base and helps set a standard of care.

In that spirit, here are some materials you might consider if your healthcare organization needs to come into compliance with the Federal Trade Commission's Red Flag Rules - which are, by the way, effective May 1, 2009. Of course, documents like these should only be adopted as part of a good data protection program, which all healthcare ogranizations should already have for HIPAA compliance purposes. I'd also strongly suggest having a look at the open source Security Incident Response Policy I posted here in 2007 - it goes well with these.

If you don't know what this is all about, a good place to start is with the FTC's own web site. And as ever, this is educational material, not legal advice. If you think you need to adopt something like this, ask your lawyer! And feel free to share these with him or her.
__________________________________________________________________________________________________________________________________________________________________________

Copyright 2009 © John R. Christiansen/Christiansen IT Law
Creative Commons Attribution 3.0 License
Distribution Permitted with Attribution Retained

CONSENT RESOLUTION FOR ADOPTION OF IDENTITY THEFT PREVENTION PROGRAM FOR [HEALTHCARE PROVIDER NAME]

The undersigned, being all of the Board of [Directors/Trustees] of [Healthcare Organization/Business Associate], a ___________ [ENTITY TYPE] (the "[ENTITY"), hereby adopt and consent to the adoption of the following resolutions:

A. The Board has been advised by ENTITY’s [General Counsel/Legal Department/Law Firm], its legal counsel, with respect to the Federal Trade Commission’s Identity Theft Prevention Red Flag Rules, as codified at 16 CFR 681.2 (“Red Flag Rules”).

B. The Board has been further advised by [General Counsel/Legal Department/Law Firm] that [s/he/it] has determined, upon consultation with ENTITY’s [Chief Financial Officer/Chief Information Officer/Compliance Officer/Billing Department Head/Medical Records Department Head/Consultant/other relevant parties], that ENTITY is a “Creditor” and maintains “Covered Accounts” within the meaning of the Red Flag Rules. [General Counsel/Legal Department/Law Firm] has therefore determined that ENTITY is required to comply with the Red Flag Rules.

C. The Board has been further advised by ENTITY’s [Chief Information Security Officer/Compliance Officer/Security Consultant] that [s/he] has conducted an assessment of identity theft risks associated with ENTITY’s Covered Accounts, and determined that there are vulnerabilities which may present potential financial, operational, compliance, reputational or litigation risks to ENTITY, as well as financial, reputational or patient safety risks to ENTITY’s patients.

D. In order to comply with the Red Flag Rules and address identity theft risks, [General Counsel/Legal Department/Law Firm] and [Chief Information Security Officer/Compliance Officer/Security Consultant] have recommended to the Board that ENTITY adopt an Identity Theft Prevention Program. The [Chief Information Security Officer/Compliance Officer/Security Consultant] has further recommended that the Identity Theft Prevention Program be integrated with ENTITY’s existing [Information Security/Compliance] Program, due to the close relationship between identity theft and prevention and the information protection and compliance goals of the latter program, and in order to implement the Identity Theft Prevention Program more efficiently.

Based upon these findings and recommendations, the Board has resolved as follows:

RESOLVED, that [Chief Information Security Officer/Compliance Officer/Security Consultant], in consultation with [General Counsel/Legal Department/Law Firm] and [Chief Financial Officer/Chief Information Officer/Compliance Officer/Billing Department Head/Medical Records Department Head/Consultant/other relevant parties], is authorized and directed to develop and implement an Identity Theft Prevention Program, as part of ENTITY’s [Information Security/Compliance] Program.

RESOLVED, that [Chief Information Security Officer/Compliance Officer/Security Consultant] and [General Counsel/Legal Department/Law Firm] shall be responsible for updating and revision of the Identity Theft Prevention Program to address changes in applicable law, changes in ENTITY’s operations or systems affecting identity theft risks, identity theft or security incidents indicating new or previously unidentified risks, and other factors affecting the effectiveness of the Identity Theft Prevention Program, in consultation with the [Chief Financial Officer/Chief Information Officer/Compliance Officer/Billing Department Head/Medical Records Department Head/Consultant/other relevant parties], as appropriate.

RESOLVED, that the [Chief Information Security Officer/Compliance Officer/Security Consultant] and [General Counsel/Legal Department/Law Firm] shall report to the Board when the Identity Theft Prevention Program has been implemented, at the next regular meeting of the Board after the effective date of such implementation, and in any case at the next regular meeting of the Board after [TIME PERIOD]. Following implementation, the [Chief Information Security Officer/Compliance Officer/Security Consultant] shall include a report on the Identity Theft Prevention Program along with [his/her] regular reports to the Board on the [Information Security/Compliance] Program.

RESOLVED, that the Board hereby authorizes the [Chief Information Security Officer/Compliance Officer/Security Consultant] to spend up to ______________ dollars for development and implementation of the Identity Theft Prevention Program. Following implementation, the Identity Theft Prevention Program shall be included as an element of the annual [Information Security/Compliance] Program budget, according to ENTITY’s usual procedures.
_____________________________________________________________________________________

Copyright 2009 © John R. Christiansen/Christiansen IT Law
Creative Commons Attribution 3.0 License
Distribution Permitted with Attribution Retained

ENTITY NAME Identity Theft Prevention Policy

Information Security Policy No. 5.4

Objective of this Policy: The objective of this Policy is to provide assurance that neither ENTITY’s patients nor ENTITY are harmed by ENTITY’s receipt, creation, use, processing or disclosure of false or inaccurate personal information, including but not limited to protected health information as defined by Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA").

This Policy is intended to help accomplish these objectives by providing guidance to ENTITY’s Workforce and Contractors, so that they will be able to:

• Recognize events or circumstances which may indicate that that identity theft is occurring or has occurred;

• Know how to report possible identity theft;

• Know who is responsible for and authorized to respond to possible identity theft; and

• Know the procedures which should be followed in responding to possible identity theft.

Recognizing Identity Theft: All members of ENTITY’s Workforce and Contractors are responsible for knowing how to identify possible identity theft affecting an ENTITY patient.

Identity theft is the inappropriate or unauthorized misrepresentation of personal information for the purpose of obtaining access to property or services. Identity theft is often committed in order to obtain credit to purchase consumer goods, but may also be committed to obtain medical care, drugs and supplies, or payment for care, services or supplies. Identity theft may result in false or inaccurate information becoming included in medical and billing records, and other patient records, and provided to third parties who may rely upon it in making diagnostic, treatment, credit and other important decisions.

The following are examples of facts and circumstances which may indicate identity theft. These are only examples, and many other facts or circumstances may be identity theft indicators.

• Identification documents which appear to have been altered or forged.

• The patient cannot provide documentation of identifying information, such as a health insurance card.

• The patient provides inconsistent identifying information, such as a Social Security Number in a range which does not correlate with the reported birth date.

• The Social Security Number or other identification or account number provided is already identified with another patient.

• The patient’s medical history, physical appearance or diagnosis is inconsistent with the same information in the medical records.

• A report by the patient or insurance company that coverage for the provision of legitimate products or services has been denied because insurance benefits have been depleted or a lifetime cap has been reached, which is inconsistent with known coverage.

• A patient inquires or complains about inappropriate billing or notices, such as:

• A bill for another individual, for services the patient denies receiving, or from a health care provider the patient denies receiving services from.

• An explanation of benefits or other insurance notification for products or services the patient denies receiving.

• A collection notice or credit report for a debt for products or services the patient denies receiving, or from a health care provider the patient denies receiving services from.

• The repeated return of mail sent to the patient’s address of record as undeliverable, while products or services continue to be provided to the patient.

• Notification by the patient, an individual claiming to be a victim of identity theft, any law enforcement agency, or any other person that an account or record has been opened or created fraudulently by ENTITY.

• The receipt of identification information associated with known fraudulent activity.

Reporting and Responding to Potential Identity Theft: All members of the Workforce and Contractors are required to report possible or suspected identity theft when they obtain information or observe activities or records which reasonably seem to indicate its occurrence.The [Chief Information Security Officer/Compliance Officer/Security Consultant] shall provide forms for such reports. Reports may also be made to the [COMPLIANCE HOTLINE].

Each [BUSINESS UNIT] shall establish written procedures for reporting and initial investigation of potential identity theft, including identification of accountable investigative staff, expected investigative activities, and expected initial investigation response times. The results of each initial investigation shall be documented in writing. Reports and investigation results documentation shall be retained by the [BUSINESS UNIT] for one year. The [Legal Department/Chief Information Security Officer/Compliance Officer] shall review such documentation annually for internal reporting purposes.

In the event an initial investigation determines that there is a reasonable possibility of identity theft, the [BUSINESS UNIT HEAD] shall promptly report that finding to the [Legal Department/Chief Information Security Officer/Compliance Officer]. The [Legal Department/>Chief Information Security Officer/Compliance Officer] shall document any such report and promptly initiate further investigative action. The results of any such investigation shall be documented in writing and retained by [Legal Department/>Chief Information Security Officer/Compliance Officer]for at least one year, and such reports shall be reviewed annually for internal reporting purposes.

Any identity theft confirmed by the Legal Department/Chief Information Security Officer/Compliance Officer] shall be treated as a Security Incident, subject to the Security Incident Response Policy.
WHERE ANY INDIVIDUAL HAS REASON TO BELIEVE THAT POSSIBLE IDENTITY THEFT ACTIVITY HAS RESULTED IN THE RECEIPT, CREATION OR DISCLOSURE OF FALSE OR INACCURATE INFORMATION WHICH MAY BE USED IN CARE OR TREATMENT DECISIONS POTENTIALLY AFFECTING PATIENT HEALTH OR SAFETY, THE POTENTIAL IDENTITY THEFT SHALL BE REPORTED IMMEDIATELY TO THE [APPROPRIATE OFFICER].