Compliance & Fraud Prevention In The EHR

dashingincestuousSecurity

Feb 22, 2014 (3 years and 5 months ago)

88 views

Compliance & Fraud Prevention
In The EHR

Terri Hall, MHA, RHIT, CPC, CAC

Billings Area Office Indian Health Service

HIM/RM Coordinator

Definition of Healthcare Fraud


Intentional deception

or
misrepresentation
, or
deliberate
omission

that the individual or entity
makes,
knowing

that the
misrepresentation could result in some
unauthorized benefit to the individual, or
the entity or to some other party.

(National Healthcare Anti
-
Fraud Association)

Definition of Healthcare Fraud




HIPAA legislation says “known or should
have known.”


“Due Diligence” obligation to identify,
report and prevent fraud.

Identified Areas of Concern
-

EHR



Authorship Integrity


borrowing from another source. Inflating services.


Auditing Integrity



Inadequate audit functions.


Documentation Integrity




Automated insertion of clinical data and visit documentation
(templates, pull forward, copy and paste, etc.)


Patient Identification and Demographic Accuracy


Automated demographic or registration entries generating
erroneous patient identification, leading to patient safety and
quality of care concerns and unjust care for profit. (location of
service, technical, professional, global billing)

Fraud Can Be Detected


Through a variety of technology
capabilities.


Abnormal pattern recognition.


Powerful system audits.


Practice pattern monitoring.


Tracking of controlled substances.

Definition of the Legal Health
Record


Remember:
EDNA HUFFMAN
,
RRA
,
1941
, 6
TH

EDITION REVISED BY
AMRA
!, Elizabeth Price,
RRA
, Editor


The medical record is the who, what, why, where,
when and how of patient care during
hospitalization
.
It stores the knowledge concerning the patient and
his

care. To be complete, the medical record must
contain sufficient information to clearly identify the
patient, to justify the diagnosis and treatment, and to
record the results. (
Oh! How times have changed
)

The Legal Paper
-
Based Health
Record Definition


2001 AHIMA Practice Brief






Definition of the Health Record for Legal
Purposes defines the legal health record as “the
legal business record generated at or for a
healthcare organization. This record would be
released upon request. (M. Amatayakul AHIMA
72, no.9 (2002): 88A
-
H)

Definition of the Health Record for
Legal Purposes



It used to be “
straightforward
” (Contents of the paper chart
together with radiology films or the results of other imaging studies
formed the healthcare provider’s legal business record).



NOW


it is more
COMPLEX




The EHR is
evolving

both in
development pace

and
design
prioritization
.



Therefore each organization has to
define the content of the
legal health record

that best fits their system capabilities
and legal environment.



Definition of the Legal Health
Record


LHR is the
organization’s business record
.


Record that would be
disclosed upon request
.


The LHR
IS NOT Peer Review, Incident Reports
,
(however these can be discoverable)


The
custodian

of the LHR is the
HIM Director
. (However,
IT may be called upon for technical infrastructure of
EHR)


HIM oversees

the operational functions related to
collecting, protecting, and archiving the legal health
record

while
IT managers the technical infrastructure

of
the EHR……………

The LHR is Expected to meet…


CMS, Medicare Conditions of
Participations.


Federal regulations, state laws, and
standards of accrediting agencies,
such as JCAHO, AAAHC, etc.,


Policies of the healthcare
organization.

The Legal
Hybrid

Health Record


Paper

documents and
electronic

media = Hybrid



Identify the “
source
” (paper or electronic)



Matrix
-

identify the
source legal record.



Policies

should indicate when the
record is considered complete
.



The
paper portion

of the
LHR

is
collected

and
archived
.



Electronic

portions of the record are
collected

and
archived

in
source systems
. There must be a
clear indication of the location

where portions of a patient record are located.


So, What is Not Part of the LHR?
Data/Documents/Tools


NOT Part
of the LHR


Alerts/Reminders/Pop
-
Ups


however,
associated documentation is considered a
component of the LHR.


Continuing Care Records


received from
another healthcare provider,
unless they
are used in the provision of patient care.


Do you have a Plan when the EHR
goes down?

Downtime Procedure Documents


EHR is
unavailable

is there a process in place
for providers to continue with their
documentation of patient care?



Once the EHR function is
restored
, the
information from the downtime documents must
be made part of the EHR, data entry, scanning,
or
recreating
documents in various subsystems

What are
Administrative

Data/Documents? They are
NOT

Part of the LHR…


Abbreviation lists


Authorization forms for ROI


Audit trails related to EHR


Correspondence


ROI


Databases containing patient information


Event history/audit trails


Financial and insurance forms


Incident or patient safety reports


Indices (diseases, operation, death)


IRB lists


Logs


NPP


Patient identifiable claims


Patient identifiable data for QI


Protocols/Clinical pathways, practice guidelines


Psychotherapy notes


Registries


Staff roles and access rights


Work lists/work in progress

What are
Derived

Data/Documents? They are
Not

Part Of The LHR.


Definition:

Derived Data consists of information aggregated or
summarized from patient records so that there are no means to
identify patients

.


Accreditation reports


Anonymous patient data for research


Best practice guidelines created from aggregate patient data


OASIS reports


ORYX, quality indicator, Quality Measure or other reports


Public Health reports


Statistical reports


Transmission reports, MDS, OASIS, etc. (documentation is LHR)


Data/Documents = LRH


Advance directives, allergy records, documentation from alerts and
reminders, analog and digital photographs, anesthesia records, care plans,
consent forms, consults, images, discharge instructions, DS, e
-
mail
messages containing patient
-
provider or provider/provider communications
regarding care, ER records, fetal monitoring strips, functional status
assessments, graphic records, immunizations, instant messages, I&O, med
orders and profiles, (MDS, OASIS, GPRA, ORYX
-

used in the course of
patient care) progress notes, nursing assessments, OP reports, Patient
Identifiers, patient submitted documentation, path, education, psychology,
post it notes, practice guidelines or protocols, problem lists, H&P, research
records, respiratory, PT, Speech, Occupational, results of tests, studies,
standing orders, telephone messages, telephone orders, trauma tapes,
verbal orders, wave forms ECG, EMG, EKG, M&M
-
COP required by CMS.


BROKE ALL OF THE POWER POINT RULES!!!!

Have you really thought about the New
Technologies? Are they part of the
LHR?


Examples

of
documents/data

that should be
evaluated for
inclusion

or
exclusion

from the
LHR…


Audio files of dictation


Audio files of patient telephone calls


Nursing shift to shift reports handwritten or audio


Videos of office visits


Videos of procedures


Videos of telemedicine consultations


Videos of Behavioral Health telemedicine visits

Are Data/Documentation that reside in
Data Source Systems part of the LHR?


Records from Source Systems



X
-
ray, Lab, Pharmacy, etc.



Result of Tests



Documents that are kept in a separate system


of record


Behavioral Health


Substance Abuse





The
determining factor

in whether
something is to be considered part of
the
LHR

is not where the information
resides, or the format of the
information,

but rather
how the
information is used and whether it is
reasonable to expect the information
to be routinely released

when a
request for MR information is
received.


Electronic Health Record Systems
(
EHRS
)
vs.

Legal Health Record



EHRS is a concept that consists of
numerous
integrated, component information systems and
technologies.




The electronic files that make up the EHR system’s
consist of
different data types
, and the
data in the
files consist of

different data formats
.



Portions

of the
legal EHR

may be
located in various electronic
systems

that provide input to the Electronic Health Record
, i.e.,
lab, pharmacy, PACS, Cardio, Results Reporting, CPOE, Nurse
care plans, word processing, fetal trace monitoring, etc.

EHRS
-

Compliance Auditing &
Monitoring



Do you have a system/process in place to

ensure the integrity of the data in the EHR?

Do You Know Where & How The
Data is Stored?


May store
structured
, patient clinical, administrative
data

in a
database

or
clinical data repository
.



May store
unstructured
,
patient clinical data

in
separate
databases

or
repositories (PACS
-
X
-
Ray)

and
provide
pointers from the clinical portal to these various
repositories.

(Architecturally, these databases are
logical, but not physically linked).



The
challenge for HIM

in
defining a legal health record

in
an EHRS is to
determine which data elements, electronic
structured documents, images, audio files, and/or video
files become part of the legal electronic health record
.

Is This Your EHR Team?


Clinical


Those who use the tools.



IT/CAC



The information technology experts who
create, maintain, and improve the tools.



HIM



Those who
assure the technology “fits
” the
environment formed within the medical
-
legal, regulatory,
and information management standards domains.




Working together to ensure that the technical tools
fit the tasks and the environment for all uses of
health care information.

HIM Professionals are….


Ideally suited to provide domain expertise and

leadership.


Conscientious advocates, ensuring that the EHR system

is optimally planned, chosen, implemented, and

managed.


The traditional and continuing custodian of the medical

record and medical record system, regardless of the

media!


Trained to ensure the quality, privacy, and integrity of

the EHR, whether on paper or electronic!

Today, the HIM Professional is an integral
part of the team that maintains
vigilance
over the health information technology
realm, so that health information
management
standards

are consistently
applied across all systems in order to
maintain the level of
integrity of the data

which is necessary for the
clinical
,
risk
management
, and
medical
-
legally
sound
operations of the healthcare organization.

Are The Organization’s Leaders On Board?


In

complying

with all
laws and regulatory requirements

and to operate in

an
ethical
manner?


Defining

and

prohibiting

the
entry of

false information
?


Defining

individual responsibility

and
accountability

for the
accuracy and

integrity of information/data?


For
notifying management of errors

which are discovered?


Promoting
mandatory training

covering the
falsification of information

and information security?


Has assigned
responsibility to someone
for the organization’s

information security
program?



Does the Organization Establish EHR and
HIM related policies?





Specific
clinical documentation requirements
?



Defining required

logging of activity

on EHR
systems?



Defining how

changes, corrections,
amendments, retractions

occur in the EHR
and
by whom
?



Does the EHR Education Program
meet the following objectives?



Communicate

& inform the
organization’s P&P
,
individual responsibility
, and the
capabilities and
functions of the EHR system?



Explain
staff responsibilities

for
maintaining
the
integrity and accuracy of information
?



Define
personal responsibilities

for
protecting system
access information?



Define
personal responsibility for creating accurate
records?



Education Program,
continued…


Staff responsibility to
notify management

of problems?



Cover the
proper use and features and functions

of the EHR?



Defines penalties for falsifying

any organizational records?



Provide instruction on
how to use the system security features for
preventing unauthorized access?



Inform all EHR users

that their
activities are being logged

by the
system?



Address software design and other techniques

that may be used to
cause system users to enter
false information
? (
Copy/Paste/Fill In
The Blank Templates)

Does the EHR System Provide

Access Control Functions
?





That define the
management of user authentication?

(scribes, assistants, auto authentication (many
documents at one time (NO).



Many authenticators, not one signer for visit
functionality.



That
define the management

of extensive
privilege
assignment and control features?



EHR Fraud Prevention


Does the EHR system have the capability/functionality to…



Attribute the entry to the original signer?


Modification/addendums made to documents?


Deletion of information (retraction) by a

specific

individual

or
subsystem
?


Do
bells and whistles sound

when someone tries to
pull forward a large
section of a H&P done by another provider? Warning message, lock
down of record?



Does the EHR system have the
capability to log all activity?


How do you know who did an addendum, amendments, retraction of
note?


Audit Logs


What Events Should
Be Recorded?


Start
-
up

and
shutdowns

of systems


Successful
and
unsuccessful

log in

and
log
-
out
.


User actions

to
open
,
close
,
create
,
execute
,
modify
, or
delete programs or files
.


Actions taken

by
system administrators, system
security administrators
, or other super users.


Changes or attempts to change privileges and
access controls for users and objects
.



Does the EHR system have the capability to
use a
common date and time stamp

across
all components of the system?



Date and time when orders were signed


When visit was signed


When orders were transcribed


Date & Time for addendums


Date and time and attribution of copy and
paste documentation done by another
provider?


Does the EHR system have data
entry editing capabilities?


To
validate information on entry

when
possible? (
edits to alert provider of values out
of range, dosage based on age and weight
)


To check for
duplication and conflicts
? (PCC
Error report


coding queue reports)


To
control and limited automatic creation

of
information? (template check boxes)


Does the EHR system establish a process
for logging of all activity on EHR systems?



That determines which
logging features

should be used?


That
assigns responsibility for auditing of log

entries and reported exceptions?


That
defines retention periods

and
procedures
for log records?


That
define system related performance
issues
?



EHR Matrix = Hybrid = P/E






How will you keep track of what is still on
paper and what is in the EHRS?

Sample Legal Source Legend


Hybrid Environment Matrix

Report

Document
Types

LHR Media
Type (P) paper
or (E)
electronic

Source
System
Application
(non
-
paper)

Electronic
Storage Start
Date

Stop Printing
Start Date

H&P

P/E

Notes Tab or
EHR template

1/2/2006

8/1/2006

Lab

P

RPMS
-
Lab

Physician
Orders

E

EHR Orders
(CPOS) tab

X
-
ray

P

RPMS X
-
ray

Discharge
Summary

E

EHR V 1.1

1/1/2006

4/1/2006

Defining the Legal EHR


Tracking
Data/Document Types
-

Matrix

Original

Analog
Documents

&

Document
Image Data

Discrete,
Structured
Data

Diagnostic
Image Data

Signal
Tracing
Data

Audio
Data

Video
Data

Text
Data

Hand
-
written
notes and
drawings



Signed
patient
consent
forms

Lab Orders


Results,


Meds orders


MARs


Online
Charting and
documentation


Detailed
charges

CT, MRI,


Ultrasound,


Nuclear
Med


Pathology
Images

EKG/EEG



Fetal

Monitor

Strips

Voice
Dictations
and

Annotations,

Heart
Sounds

Ultrasound


Cardiac
Catheterization

Exams


Heart
Sounds

Radiology
reports,


Transcribed
reports,


UB and
Itemized
bills

Maintaining the Legal EHR:
Verification
Legend
X

= Prohibited & Monitored

O

= Allowed & Monitored

Report/Document
Type

Audit



Authentication

Visit Note



signed by
“ONE” care
giver

Authorship

Many

Signers

Copy/Paste



Amend



Correct

Clarify

Encounter
History

O

O

O

X

O

O

O

Encounter
Physical

O

O

O

X

O

O

O

Visit Note

O

O

O

X

O

O

O

Social History

O

O

O

X

O

O

O

Medication
List

O

O

O

X

O

O

O

What does the HCCA think are the
Top 12 Hot Topics For
Compliance?


Medical
appropriateness
of
coding

and
DRG services


Unbundling

of hospital outpatient services


Outpatient department payments


Evaluation of “
incident to
” services


Inpatient Only services

performed in an
outpatient setting


Physical and occupational therapy services


Inpatient rehab facility

compliance and Medicare requirements.


Outpatient outlier

and other
change
-
related issues
.


Payments for
observation services vs. inpatient admissions

for
dialysis.


Cardiography and echocardiography


Review of
E&M services during global surgery periods
.


Inappropriate payments for
interpretation of diagnostic x
-
rays in
hospital emergency departments.

Selecting EHR System Features To
Prevent Fraud


Access Control


To verify authorship there are two concepts:
authentication & access management.



User Authentication



is the process of determining whether
someone or something is, in fact, who or what it is declared to be.



Something the user is



Biometric I.D., Fingerprint or Retinal or
DNA sequence voice pattern, signature recognition.


Something the user has



ID card, security token, or software
token.


Something the user Knows



password or a personal I.D.
number (PIN).


A duel element authentication should be considered as a

reasonable control policy.

EHR System Features To Prevent
Fraud




Extensive Privilege Assignment & Control Features



Access
Management


AKA


Authorization, is the process of verifying that
a known person has the authority to perform a certain operation.


Logging of all activity



the EHR system must have the ability to
record all activity that occurs within the system.


Data Entry Editing



Verify validity of information


warn,
male/female ICD codes, billing codes, medical necessity
documentation.


Checks for duplication and conflicts



MR #s, medical
management options (life threatening drug interactions), system
prompt capability


(system controls the prompt occurrence


lack of
use or misuse by provider).


Case Study/Worst Case Scenario I


Electronic Tools that Enable “Borrowing”
Data from Another Source


Electronic tools make it
easy to copy and past

documentation from one record to another or
pull information forward

from a
previous visit
.


Borrowed data

cannot be tracked

back to the
original source creating both a legal and a
quality of care concerns.


Worst Case Scenario II

Professional Services


E&M Code


A patient had a number of
medical tests and diagnostic

evaluation in an outpatient clinic over a two week period.
The
patient requested a copy

of his MR along with the
bills for services. The
E&M codes

he found were
consistently at the
highest level (5).

The patient was a
retired auditor

for
health plans

and he noticed that the
medical history was “pulled through”

within departments,
between department and in subsequent visits with the
same provider

using the EHR system,
even when the
visits did not include the clinician taking a history
!
He
reported this to the fraud division.

Behavioral Health Service III



Cookie Cutting



A
state department

of
health surveyor

identified a nurse

at the
community hospital
documenting the same text on progress
notes completed for several patients on her caseload.

This
practice involved
copying and pasting

the same text from one
record to another, neglecting to accurately document the
variations

from one patient to another.



Example: the patients response to meds may differ, request for
follow up date and time may differ.




Thus, Medicaid Fraud Division imposed fines and penalties
for payment for care which was not rendered at the level of
service claimed.

Academic Medical Center &
Physician Services Worst Case IV


Patient admitted to hospital for workup to determine Hypertensive

episodes.






Patient is status post mitral valve replacement with porcine graft and
also with pacemaker. The physician progress notes in a hospital
based EHR were copied and pasted multiple times by the attending
physician, consulting physician and residents, using a convenient
“macro” feature available in the software. The teaching physician
made this a regular practice to copy and past the resident notes as
his own, thus saving time. A new resident misdiagnosed the patient
with adrenal insufficiency and recorded the incorrect diagnosis in the
MR. Due to the normal routine of “borrowing” documentation higher
E&M codes were assigned based on the diagnosis and treatment,
and at the same time creating a patient safety and quality of care
issue from reliance on inaccurate MR documentation. The patient
died from a med error in an attempt to treat the adrenal insufficiency
which she did not have!


Best Case Scenario


Example IV

This hospital made sure that their EHR had specific patient

safety and documentation integrity tools built into the design.



Orientation to new staff and students

on how to use the tools for
accurate and complete documentation.



Entries
include the
date and time stamp and the author

of the note.



Teaching physicians must sign into the system

so the appropriate
authentication is attached to their chart entry and any templates must be
modified to reflect specific conditions and observations unique to the
service.



Teaching physicians must be physically present

to report services for
health plan claims.



Medical necessity and intensity of service documentation is unique to
each visit,

so when EHR templates and macros are not modified, they
are clearly identified both by a different screen color and by a watermark
across the text saying “ Unmodified Documentation Template”

Best Case Scenario continued..


Info buttons

provide the
documentation guidelines

and
reporting requirements for teaching physicians, available at the
click of the mouse


Alerts

are generated when a
copy and past function

is used
warning the EHR user about Plagiarism.



Creation of a full slate of
documentation guidelines
, P&P for
EHR and EHR tools.


Records get “
locked down
’ for either
pulling forward

or
copying text content

to another location.



Policies about
surrogates and scribes
.


Creation of a
clinical documentation improvement program


Best Case Scenario
continued…


The
integrity of data

is of
extreme importance

because it is used to
identify
and
track patients

as they move from one level of care to another.



Data is used to
verify the identity

of an individual
to insure that the
correct patient

is receiving the
appropriate care

and to
support billing activity.




Data Integrity


Worst Case

Clinical Notes with difficulty in date association



Patient seen on September 2, 2006 and informed the physician of a

possible reaction to a prescribed medication. Physician is side tracked and

does not enter visit information. On September 5
th

the same physician

is back on duty and realizes he did not made an entry for the September 2
nd visit.


The physician decides that he wants the date to reflect the actual date the

patient was seen, so he changed the date to Sept. 2, 2006 @ 11:30 am. He

proceeds to enter the documentation, documenting the symptoms the patient

described surrounding the medication reaction as best he could.


When another provider reviewed the record, he saw the “new” note. This

provider worked over the weekend and did not recall seeing this information.

Upon further review the clinician sees that the date displayed is Sept. 2, 2005

@ 11:30 am.


Best Case Scenario


Data
Integrity


Clinical notes with difficulty in data association…



Text capability in the EHR has built in data functionality hard coding
the date a note is entered or capability to “Lock Visit”
-

2 days


if
provider forgot to document note.




The clinician should have the ability to associate the note with a
date of service to reflect both a reference date of when they saw the
patient as well as an indication of a late entry/addendum/clarify.



Both of these dates are important to best practices in HIM.

Note and Event Entries


Date/Time Stamp
-

Peripherals


A facility has multiple
biomedical peripherals

connected to the EHR:
Portable EKGs, IV Infusion Pumps, Etc. The main system has a
synchronized clock for display with date and time stamping on
notes, lab results, etc.
Quality indicators say that an EKG must be
performed within 10 minutes of arrival to the ER for chest pain

patients. The patient is brought to the ER at 23:55 on 9/1/2006. An
EKG is started and completed per orders entered at 23:57. EKG is
uploaded, read and interpreted. At 00:30 on 9/2/2006 the clinician
completes her documentation of the assessment and orders
admission for AMI. Upon review, the EKG is reported as being
ordered @ 23:57, but not completed until 9/2/2006 @ 00:45. This is
15 minutes after the note entered by the clinician, stating the EKG
was done and showed ST Elevation MI.


Note:

This case fell out of PI review, and would have difficulty

Standing up in court. The
linkage of peripherals

needs to have the

clocks on each system synchronized

to support the integrity of the

data.

Worst Case Scenario


Med Errors


Failure of an EHR system to provide appropriate safeguards against
med errors, including either the wrong patient, wrong drug, or failure
to consider all available data can contribute to poor quality care.



The physician order entry software provides the capability for default
self selection upon entering the first (3) letters of the drug. The
physician wanted Norfloxacin (antibiotic for eye infection) and typed
in NOR, but Norflex (muscle relaxant) came up. Both are oral
medications. The order was signed and the meds made available
for pick up .




The patient began taking the Norflex and returned to the ER by
rescue squad later the same week with a septic shock due to a very
serious bacterial infection of the left eye.

Best Case Scenario


Med
Error


Built in
safeguards in the (CPOE
) software suite to
prevent med errors
.



The system does not allow software to
self select (or default
), and requires
a second validation.



The system provides the user the
opportunity to finish typing
.



The software provides a
list of options (or drop down menu
) he user can
select from, then provides alerts or reminders from a knowledge base.



Per policy
no abbreviations

are allowed in the ordering of the full name of
the drug.



The system provides a
warning message

at the time of signature for
contraindications

and
potential adverse effects
.



The system asked the provider to
verify selection of Norfloxacin

as it is
noted in the current med history that the patient experienced an
anaphylactic reaction

to another
antibacterial agent
.

IHS
-

EHR Compliance Issues


Provider did not complete the clinic note for many patient visits & weeks later created
“new” visits to document his notes.



Outpatient Medication file (V
-
Med) is one big file

Inpatient drug file is in and Orders file


not the V
-
Med file.



PHN visits (non
-
face to face) visits put into EHR using clinic code (11) Home Visit, which
led to visit being billed in error.



Missing notes after the visit was signed by provider, never found.



Duplicate visits created in Ancillary packages, missing POV, Provider and clinic code.



Mental Health Visits in EHR


New Business Rules are required


List Business Rules by
User Class for MH Privileges. (Cover Sheet

Dx)



Vital signs entered by others can be changed.



Medications in EHR


lists multiple times the same dose of medication


this happens
because pharmacy adds a new product/new NDC for a med that has that dose available in
an existing product with it’s accompanying NDC#.



Discontinued and expired meds still show as chronic on the meds tab.



V 1.1 EHR

visit lock default is 2 days


but no lock on visits in PCC.





Linking Anti
-
Fraud & Legal EHR
Functions


AHIMA March 2007


In 2005 AHIMA Foundation of Research and Education, under contract with
the HIT, researched & published a report on the use of health IT to prevent
and detect fraud.



Five work groups were formed to focus on key issues.



The report focused on the “Key Principles for EHR Systems” as outlined by
“Government Paperwork Elimination Act” (GPEA).



GPEA is not limited to Healthcare, however there is a clear overlap with
core HIM principles.



NHIN (Nationwide Health Information Network)


Complies with Federal &
State law and meets requirements of reliability & admissibility of evidence.


Michelle Dougherty, RHIA, CHP

AHIMA JOURNAL


March
2007


Office of National Coordinator for Health
Information Technology (HIT)


issued a
second contract to develop model anti
-
fraud requirements for EHR.


Contract awarded to Research Triangle
Institute with a sub
-
contract to Foundation
of Research & Education (3/07
-
Report)

AHIMA March 2007 Journal


Core
HIM Principles


Completeness


Accountability


Access & availability


Traceability


Auditable (verifiable)


Identification


Authentication


Biometric authentication


Non
-
repudiation


Integrity


Storage & security


Records retention


Reliability


Digital certificate


Digital signature


Electronic signature


Public key infrastructure (PKI)


Thank You

Any Questions?


terri.hall@ihs.gov

406
-
247
-
7128