Filed under: Business, Compliance, Healthcare, Regulatory
E-Signature implementation details:
e-signatures are part of the law required for part 11 compliance here is what the law says itself
Subpart C–Electronic Signatures
Sec. 11.100 General requirements.
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.
Sec. 11.200 Electronic signature components and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
E-Signatures are required when you are replacing a regulated process that is paper-based (required signatures) with electronic signatures. There are 2 parts to this
1 - As an organization you need to accept e-signatures as physical signatures (or the client running the software)
2- You need to implement the baseline features and have training and signatures of people accepting the signature requirement.
Here are some foundation e-signature requirements for a part 11 compliant system
1 – Unique accounts for each user who signs
2 – Encrypted connection to the system (SSL)
3 – They need to see and agree to the statement of intent to validate this you require some unique data like a username/password, digital identity (biometrics, dongle, rsa token), passphrase, they must provide this with the statement of intent for the signature so they understand they are signing it.
4 – Any user must be able to see all things they have signed in the system (a history of signatures and versions of documents)
5 – Auditing of the entire data stored in an immutable form with full history to prevent falsification (image with checksum etc..)
6- Each signature needs
a. the name of person
b. the date/time of signature
c. a storage mechanism to prevent tampering and ensure integrity
d. statement of intent
e. the role of person
7 – The things being signed cannot be pre-loaded with data, the person must fill out the form on their own, no defaults.
8 – If signing more than 1 thing within a 20 minute window, you can only require password for each signature rather than name/password within the session after 20 minuets they must enter both name and password.
9 – Signature and Data must be stored together and not be separable.