HIPAA compliant digital signatures: What is considered an adequate approach?
Posted on 2011-09-02
We have a need to provide a method for electronically signing a medical note (all text) wihin a custom EMR. I am researching the options for this with a desire for a solution that will be compliant, but not overly complex.
The 3 choices that seem to be prevalent are:
1) Signing via currently logged in user
2) Explicit signing via password prompt
3) Hardware-based signature capture
Choice 3 is too costly. Choice 1 has issues with shared workstations. This leaves choice 2. I already have a generic authentication mechanism built-in that prompts the user for the password on a specified Active Directory account. This is done via a WINAPI call. I use this to restrict access to certain parts of our EMR but I haven't used it for electronic signature before.
My question is: Does authenticating against an AD account and documenting the authentication electronically constitute a 'good enough' electronic signature solution or do I have to do something like creating a hash of the data signed and the signature used and store that?