4.1 This guide has three purposes:4.1.1 To serve as a guide for developers of computer software that provides or makes use of authentication and authorization processes,4.1.2 To serve as a guide to healthcare providers who are implementing authentication and authorization mechanisms, and4.1.3 To be a consensus standard on the design, implementation, and use of authentication and authorization mechanisms.4.2 Additional standards will define interoperable protocols and message formats that can be used to implement these mechanisms in a distributed environment, using specific commercial technologies such as digital signatures.1.1 This guide covers mechanisms that may be used to authenticate healthcare information (both administrative and clinical) users to computer systems, as well as mechanisms to authorize particular actions by users. These actions may include access to healthcare information documents, as well as specific operations on those documents (for example, review by a physician).1.2 This guide addresses both centralized and distributed environments, by defining the requirements that a single system shall meet and the kinds of information which shall be transmitted between systems to provide distributed authentication and authorization services.1.3 This guide addresses the technical specifications for how to perform user authentication and authorization. The actual definition of who can access what is based on organizational policy.
This specification covers the use of digital signatures to provide authentication of healthcare information. It describes how the components of a digital signature system meet specified requirements, including specification of allowable signature and hash algorithms, management of public and private keys, and specific formats for keys, certificates, and signed healthcare documents. This specification, however, does not prescribe any particular policy regarding which documents shall be authenticated, and by whom.1.1 This specification covers the use of digital signatures to provide authentication of healthcare information, as described in Guide E 1762. It describes how the components of a digital signature system meet the requirements specified in Guide E 1762. This includes specification of allowable signature and hash algorithms, management of public and private keys, and specific formats for keys, certificates, and signed healthcare documents.1.2 This specification should be read in conjunction with Guide E 1762, which describes the scope of, and requirements for, authentication of healthcare information. This specification describes one implementation (digital signatures) that meets all of the requirements of Guide E 1762. It does not prescribe any particular policy regarding which documents shall be authenticated, and by whom.
4.1 This guide serves three purposes:4.1.1 To serve as a guide for developers of computer software providing, or interacting with, electronic signature processes,4.1.2 To serve as a guide to healthcare providers who are implementing electronic signature mechanisms, and4.1.3 To be a consensus standard on the design, implementation, and use of electronic signatures.1.1 This guide covers:1.1.1 Defining a document structure for use by electronic signature mechanisms (Section 4),1.1.2 Describing the characteristics of an electronic signature process (Section 5),1.1.3 Defining minimum requirements for different electronic signature mechanisms (Section 5),1.1.4 Defining signature attributes for use with electronic signature mechanisms (Section 6),1.1.5 Describing acceptable electronic signature mechanisms and technologies (Section 7),1.1.6 Defining minimum requirements for user identification, access control, and other security requirements for electronic signatures (Section 9), and1.1.7 Outlining technical details for all electronic signature mechanisms in sufficient detail to allow interoperability between systems supporting the same signature mechanism (Section 8 and Appendix X1-Appendix X4).1.2 This guide is intended to be complementary to standards under development in other organizations. The determination of which documents require signatures is out of scope, since it is a matter addressed by law, regulation, accreditation standards, and an organization's policy.1.3 Organizations shall develop policies and procedures that define the content of the medical record, what is a documented event, and what time constitutes event time. Organizations should review applicable statutes and regulations, accreditation standards, and professional practice guidelines in developing these policies and procedures.