For those of you familiar with the convolutions of HIPAA:
- An EMR company offers a web server based solution for a medical practice with electronic signing as an additional service (not as an integral part of their charting service). A medical practice initially takes the charting service but not the signing feature and prefers to print all created documents instead and keeps them on paper files.
- HIPAA requires signing capabilities for all electronic documents created. That ensures authenticity and (what is also crucial) that the document cannot be altered in the future.
- After some time, the practice decides to pay the extra fee to acquire signing capabilities, which allows them to keep electronic records only.
- When I take a look at the signed records I notice that they have implemented gpg to sign individual records, all within File Maker Pro on a Windows server.
EMR/EHR companies usually take advantage of the fact that medical providers are usually computer illiterate and will willfully pay outrageously high fees for mediocre services which are almost as lame as using either paper and pencil or "dictation services". In general, what is so special about an EMR program/service in the software market? I know there is a handful of OS EMR out there. However, they seem to assume that they know what fields/format/complexity the provider needs and they look exaggeratedly bloated for many cases. For the purpose of recording medical information, some providers would be better off using a simple word processor like OO Writer. What prevents a medical provider from using a widely available program like OO Writer, OO Base or Kexi to keep her/his medical records? If encryption capabilities are implemented, the only thing missing to make this hypothetical method fully HIPAA compliant would be signing capabilities. This brings me to the
This missing feature would be using gpg to sign individual documents. Signing *.odt documents with gpg would be quite straightforward. How about signing records on a simple database? How would you implement such a simple method from a technical point of view (word-processor or database + gpg for signing)? What warnings would you make? What obstacles do you see? In short, how would you do it?