1 / 27

Coping with Electronic Records

Coping with Electronic Records. Setting Standards for Private Sector E-records Retention. Agenda. E-SIGN records retention requirements Where to begin Developing performance standards Approaches and examples. E-SIGN’s E-records Provisions.

chiquita-arama
Download Presentation

Coping with Electronic Records

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Coping with Electronic Records Setting Standards for Private Sector E-records Retention

  2. Agenda • E-SIGN records retention requirements • Where to begin • Developing performance standards • Approaches and examples

  3. E-SIGN’s E-records Provisions

  4. Electronic Signatures in Global and National Commerce Act (E-Sign) P.L. 106-229 • Use of e-signatures and e-records in • Interstate and foreign consumer, commercial or business transactions • E-signature provisions • Effective on October 1, 2000 • E-recordretention provisions • Effective March 1, 2001 • Can be postponed until June 1, 2001 if regulations are “announced, proposed, or initiated” by March 1, 2001

  5. E-SIGN Record Retention Standards • Records retention requirements for private entities can be met with electronic records • States can promulgated performance standards • To assure records’ accuracy, integrity, and accessibility • Need not be technology neutral if they: • Serve an important governmental objective • Substantially related to the achievement of that objective

  6. E-SIGN Record Retention Standards • States can require retention of a record in a “tangible printed or paper form” if: • Compelling government interest related to • law enforcement • national security • and such requirement is essential to attaining such interest

  7. Time Frames • March 1, 2001 • E-Sign allows private parties to use e-records to satisfy retention requirements • Date can be postponed to June 1, 2001 • If an agency announces or initiates e-records retention performance standards by March 1, 2001

  8. Where to begin?

  9. Where to Begin? • Review and evaluate existing record retention and management requirements • What are they based on (law, regulation, policy)? • Are the requirements necessary to perform agency functions? • What is the extent of the agency’s authority? • What are the agency’s regulatory needs and goals • Audit • Consumer protection and oversight • Protection of state interests

  10. Where to Begin? • Evaluate the agency’s ability to review and analyze regulated parties’ e-records • Do you have the technical capability to handle e-records? • Does your staff have the necessary skill?

  11. Where to begin? • Reach out to regulated parties to discuss e-record formats that meet their and the agency’s needs • What are the capabilities of the regulated parties? • Do standards and best practices already exist? • Decide if regulations are the appropriate approach or guidelines will suffice • Base on factors specific to your state • As needed, announce or initiate e-record retention rulemaking by March 1, 2001

  12. Developing Standards

  13. Developing standards • Focus on your desired outcomes and critical points • Receiving, Capturing and Creating E-Records • Maintaining Accessible, Authentic, and Complete E-Records • Maintaining Secure, Reliable and Trustworthy E-Records Systems

  14. Receiving, Capturing and Creating E-Records • Creation or capture of adequate records • Standards for record’s structure, content, and format • Procedures and processes for the receipt, creation, processing, and filing of e-records • Authenticated and identified records • Measures or standards to authenticate senders and determine the integrity of e-record • Measures or standards for secure transmission and processing of e-records

  15. Maintaining Accessible, Authentic, and Complete E-Records • Integrity of e-records • Information management standards • Standards for controlled storage or filing systems to ensure e-records’ integrity and accessibility • Retain in an accessible form for legal retention periods • Search and retrieval standards • Retention standards • Produce and supply authentic copies in useable formats including hard copy

  16. Maintaining Secure, Reliable and Trustworthy E-Records Systems • System performs in an accurate, reliable, and consistent manner • Standards for system management policies and procedures • System performance tests • Audit trails of system activity

  17. Maintaining Secure, Reliable and Trustworthy E-Records Systems • Protect e-records to enable their accurate and ready retrieval • Standards and controls for the accuracy and timeliness of input/output • Media controls and standards • Backup standards

  18. Maintaining Secure, Reliable and Trustworthy E-Records Systems • Limit system access to authorized individuals for authorized purposes • System security policy and program • Physical, environmental, security controls   • Identification and authentication standards • Access control standards

  19. Approaches and Examples

  20. Approaches • Detailed regulations • Include both outcomes and specific implementations in regulations • Outcome focused regulation • Limited but targeted regulations • Limited regulations supported by specific guidelines

  21. Example - Detailed regulations • HIPAA Security Standards 45 CFR Part 142 • Administrative Procedures - to establish and enforce security policies • Physical Safeguards - to protect physical computer systems, buildings and equipment from hazards and intrusions • Technical Security Services - to protect, control and monitor access to data • Technical Security Mechanisms - to protect and restrict access to data transmitted over a network

  22. Approaches – Outcome focused regulations • FDA 21 CFR Part 11 Electronic Records • Controls for closed systems • Validation of systems to ensure accuracy, reliability, consistent performance • Ability to conclusively discern invalid or altered records. • Ability to generate true copies of records in both human readable and electronic form • Suitable for inspection, review, and copying by the agency • Protection of records to enable their accurate and ready retrieval throughout the records retention period • Limiting system access to authorized individuals

  23. Approaches – Outcome focused regulations • Controls for closed systems (cont.) • Use of time stamped audit trails to document record changes • Record changes don’t obscure previously recorded information. • Audit trail documentation retained for as long as the subject e-records and are available for agency review and copying • Use of operational checks, authority checks, device (e.g., terminal) location checks • Confirmation that system staff have the education, training, and experience to perform their assigned tasks • Written policies which hold individuals accountable and liable for actions initiated under their electronic signatures • Use of appropriate systems documentation controls

  24. Example – Targeted regulations • Minnesota Dept. of Health Nursing Homes Chap. 4658Use an electronic health information system: • Policies and procedures for password protection • Contractor must maintain the confidentiality of all information • Audit trails for the source and date of all entries and deletions • Backup systems must be implemented and maintained • Preventative maintenance of system • Plan for preparing, securing, and retaining archived of data • Procedures for preparing and securing daily, weekly, and monthly archived copies of data • Protection from unauthorized use of active and archived records

  25. Example – Limited regulations • Minnesota Dentistry Board Chapter 3100 Subp. 14. Electronic recordkeeping • The requirements that apply to paper records apply to electronic recordkeeping • When electronic records are kept, a dentist must keep either a duplicate hard copy record or use an unalterable electronic record.

  26. Conclusion • Focus on • Regulatory goals and desired recordkeeping outcomes • Processes and systems • Utilize accepted and implementable standards • Use regulations to regulate and guidelines to assist • Stay current and periodically revisit regulations and guidelines • Communicate with the regulated community

More Related