1. Current State of Archiving in the German Health Care System
In the German Health Care System due to constant changes of political regulations, the rapid technological development and the steady progress in diagnostics and therapy there are made great demands on all parties involved in the patient treatment process. To a great extend this also concerns the processes of producing, managing and archiving documents which are indispensable to hospitals and medical practices during patient treatments.
Thorough documentation and orderly archiving are essential for the supply of information in the patient’s treatment, compliance with legal requirements, accounting and financial analysis, statistical evaluation, quality assurance and medical research. Clinical documentation and archiving are characterized by immense volumes of data and documentation as well as a high heterogeneity of archival content.
Today there are about 2.100 hospitals in Germany with a capacity of 500.000 beds. On average inpatient treatments accumulate about 50 to 80 single paper documents per case. Therefore one running meter of stacked paper documents (5.000 to 6.000 single paper documents) is produced per bed in hospital wards annually. Around 300.000 medical practices produce another 1 to 5 single paper documents per outpatient treatment. At large there are about 5 billion newly produced documents per year in the health care sector. Just the costs for conventional archiving of all patient related documents in Germany total 2.5 billion Euros each year.
Because of the depicted situation [Schmücker, Dujat, Häber 2008] investments in computer-aided document management and archiving systems (DMAS) are currently reinforced. The number of installations will increase during the next few years, because
- documents and stored data in some individual computer-aided application systems by now have taken such complex forms that they have to be handed over to archiving systems due to performance issues,
- data from different computer-aided applications is merged together to one single system due to rationalization and efficiency,
- conventional archives are steadily replaced by the scanning process and hence form a solution to the lack of space and
- migrations of digital archives can be performed much easier (nowadays about every 7 years).
Within the scope of digital archiving there is a trend towards the integration of document management into the application systems as well as interfacing external digital archiving solutions.
From an economic point of view it is also recommended to provide company-wide backup strategies which can potentially be operated through other archiving system.
In hospitals and other healthcare institutions the following types of documentations are archived:
- medical records: All patient related documents like referral letters, medical findings, pictures, signals, videos, accounting documents.
- operational patient independent administrative documents: Those contain documents for administrative processes like financial accounting, personnel management, materials management etc.
- technical documents: Those contain the documentation of buildings, facilities, medical devices etc.
- office documents
- research documents: Those include documents for clinical studies as well as other medical research documents.
According to the users digital archives should not only be used for a systematic presentation of data, documents, pictures etc, but also to make them evaluable. Document oriented archives normally don’t meet this requirement. Through the provision of an appropriate data basis (e.g. data warehouse) there is a variety of opportunities for data evaluation. Therefore in the future so called enterprise content management systems will be established to save and manage both documents and their contents in the long run. Important requirements for digital preservation are the standardization of electronic generated documents [Hollerbach et al. 2005] and the evidentiary value of documents signed with electronic signatures.
2. Fundamentals of archiving electronically signed documents
It is recommended to store medical records generally for 30 years or longer. This is only possible if certain principles are observed.
2.1 Usage of well-defined, long-term stable and standardized data formats
Documents meant to be archived should be available in a well-defined, long-term stable and internationally standardized data format. For documents the formats TIFF, PDF, PDF/A, JPEG, JPEG2000 and DICOM are recommended. Descriptive metadata of those documents should be implemented with XML. For the above mentioned data formats evaluated software components from various vendors exist. Hence there is a chance that technical components will be available for the visualization of the archived documents during the retention period.
By only using well established document standards a transformation of electronically produced documents can be avoided. A migration without transformation can be accomplished relatively easy if documents are only copied from one media to another media without any changes. But in spite of the German project TransiDoc for “legally secure transformations of signed documents” the transformation of digital documents can not be guaranteed yet.
2.2 Assurance of data privacy and data security requirements
The user interface of application systems should support manifold possibilities to access data, documents, pictures and signals. Generally the necessary access paths are provided by patient oriented procedures (e.g. admission, surgery, discharge) or during meetings of organizational units. The precondition to properly present the right data to the right person is a powerful authorization concept taking care of data privacy issues in particular of the duty to treat medical records confidentially depending on the group or organizational unit dealing with it.
The duty to keep medical records confidentially and the assurance of data privacy require that medical data and documents are only visible if the patient treatment process demands it. Medical records are only allowed to be collected and processed within the scope of the contract of medical treatment and the legal regulations involved, but must not be exchanged and used without restrictions. This means that the access to medical records for the user has to be limited in time and related to the treatment of the patient. On this note hospitals and other facilities do not represent informational entities. For scientific purposes normally only anonymized or pseudonymized data or data authorized by the patient is used.
Through adequate technical and organizational measures it has to be assured that unauthorized access is prevented and that the privacy of the patient is not touched. The above mentioned demand for data privacy has to be guaranteed by an appropriate document infrastructure with respective access rights. The authorization concept therefore specifies which user is allowed to work with the archiving system. The concept comprises the reading (visualization), the writing (import of a new document / import of a changed version), the sharing, the verification and the deletion of documents. This requires different roles and levels of authority to be defined. These roles and levels of authority have to be configurable by patient ID, case ID and document types down to the document level.
If necessary there have to be special measures for the treatment of emergencies. In such cases a complete logging of the access to medical records is indispensable.
2.3 Warranting correctness and protection against modification
Because of the long record retention periods and the legal requirements digital archives have to comply with the current requirements of correctness and protection against modification. Over the intervening years there have been approaches based on an organizational concept. The definition of revision-proof introduced by the German Association for Organisation and Information Systems (VOI) after which archiving is defined according to the German Principles of Proper Bookkeeping [GoB] and the German Principles of Electronic Bookkeeping Systems [GOBS] as revision-proof archiving [Kampffmeyer, Rogalla 1997, p. 10] has gained currency among experts.
Based on this definition a catalogue containing technical and organizational requirements was developed and published by the VOI for the first time in 1997. The orientation towards the compliance with the GoBS specifications can indeed be considered as an essential requirement, but with regard to all the other regulations by no means as sufficient. In this context, one should be reminded of the detailed specifications from the data privacy laws and the requirements of IT and legal security. Hence there is a demand for archiving systems conformable to law and considering all the requested requirements.
On basis of the test criteria for document management solutions [VOI, TÜVit 2004], developed by the VOI and the TÜV Information Technology GmbH (TÜVit), the computer-aided document management and archiving systems in hospitals can be adapted to the requirements of correct and revision-proof archiving. Such systems can be audited by impartial institutions (e.g. TÜVit). The successful approval is documented by a certification. In adjudication such an expert report can be taken into account.
3. Evidentiary value of digitally produced documents through the use of electronic signatures
Until 6 years ago the urgently needed introduction of digital archiving systems in Germany failed in many cases because of the central question whether archived documents are legally approved or not. Since there were no consistent legal regulations for electronic documents they were subject to the judge’s consideration of evidence and therefore legally doubtful and constituted a financial risk in legal disputes.
With the amendment to the signature act and the adaptation of the private and public law in 2002 there exists a solution for the legal approval of digital long term preservation. After § 126a of the German Civil Code (BGB) electronic documents are defined as electronic form if they are signed with at least one qualified electronic signature, the second highest of the four existing electronic signature security levels. After § 371a of the German Code of Civil Procedure (until January 2005: § 292a of the German Code of Civil Procedure) those signatures are regarded as proof of authenticity. Hence qualified electronic signatures allow conclusive, revision-proof and legally approved digital archives.
Many vendors of digital archiving systems claim to provide electronic signatures for long term preservation and archiving. In many cases this is not guaranteed, particularly since the plain creation and verification of electronic signatures is not sufficient. Among other things the long term preservation of electronically signed documents results in the following additional issues:
- Qualified signature certificates are available only for a limited period of time and verifiable: 5 years if the certification service provider is not accredited, 30 years if the certification service provider is accredited.
- Cryptographic algorithms that are used to produce signatures can lose their value of evidence due to “aging”.
- Information on the ability of cryptographic algorithms to protect the value of evidence are not available in an electronically processable format to operators of digital archiving systems.
- Due to transformations of signed documents into other document formats or to other media the evidentiary value of the original signature is reduced. Examples are the transformation from paper to electronic media or the presentation of electronically signed documents in hard copy.
- Because until recently the available signature standards have still been insufficient in particular for signature renewals and verification data, there are still missing standardized interfaces between computer-aided documentation, scanning, signature and archiving services in the healthcare sector.
The German joint project ArchiSig “Conclusive and secure long term preservation of digitally signed documents” has developed concepts and implementations for those unresolved requirements. It has been subsidized by the German Federal Ministry of Economics and Technology (BMWi) in the context of the VERNET program “Secure and reliable transactions in open communication networks”.
After the ArchiSig pilot project at the University Hospital Heidelberg the usage of the electronic signature was implemented at the Clinical Center Braunschweig on the basis of a best practise solution. A similar implementation is projected at the University Hospital Tübingen.
4. Evidentiary value of scanned documents
In Germany there still exist legal insecurities for scanned paper documents. Electronic signatures attached to documents during the process of scanning can only be used to check weather changes to the documents have been made after the procedure. Thus there exists a legal gap if the original paper documents are not available anymore. To counteract these insecurities in hospitals and medical practices a legal regulation is necessary to approve subsequent digitalized documents in court. Appropriate exceptions already exist e.g. for social insurances (§ 110 SBG IV), in the German X-Ray Ordinance (§ 28) and in the German Commercial Code (§§ 239 and 257).
Today numerous hospitals replace their paper based medical records with scanned documents. However in practice there still exists an enormous need for action for providers and users of digital archiving and signature solutions. To guarantee evidentiary value and IT security a policy can serve for the replacement of paper documents and the correct and revision-proof storage of their digitally scanned copies. To the knowledge of the author there haven’t been any lawsuits which lead to legal disadvantages due to the scanning of documents.
5. Principles for the preservation of electronically created and signed documents
Because of the legal conditions for the digital preservation of medical records the management, the storage and the usage of electronically created and signed documents has to be taken into account. When signature is created and electronically signed documents are stored there are six principles to be followed.
5.1 Usage of well-defined, long-term stable and standardized signature data formats
Electronic signatures should be created in a well-defined, long-term stable and internationally standardized signature data format so that there is a chance of having technical components for the verification of electronically signed documents available during the retention period. As signature data formats CMS, PKCS #7 and XML-DSig are used, as hash algorithms SHA-256, SHA-512, MD5 and RIPEMD-160 are used.
5.2 Storage of necessary verification data in a timely available fashion
All necessary verification data needed to verify electronically signed documents have to be made available in time and in a conclusive fashion over the retention period. Electronically signed documents and their verification data have to be stored in a conclusive, timely available fashion to allow data exchange as well as the migration of application systems or components and their stored documents and verification data.
5.3 Timely and conclusive renewal of signatures
Electronically signed documents have to be electronically signed again before the used cryptographic algorithm or its parameters lose their value of evidence. Thereby the publications on appropriate cryptographic algorithms by the – according to signature law – responsible authority have to be taken into account.
Since concepts like the renewal of signatures and hash values according to the ArchiSig concept are inevitable for the efficient implementation of long term evidentiary value, it is also important to specify the signature structures of archiving systems as well as the structure for the exchange of electronically produced and signed information by a standard. In autumn 2007 the Evidence Record Syntax (ERS), a new international standard for the renewal of electronically signed documents was approved by the Working Group “Long-Term Archiving and Notary Services (LTANS)” of the Internet Engineering Task Force (IETF). It is recommended to be used in practice.
5.4 Redundancy when storing and renewing electronically signed documents
When storing electronically signed documents redundancy mechanisms should be applied, since a single bit error leads to the invalidity of electronic signatures. To preserve evidentiary value of electronically signed documents from a premature loss of authenticity of cryptographic algorithms a repetitive renewal of signatures with different hash and cryptographic algorithms is recommended.
5.5 Application of electronic signatures of varying qualities
For the electronic signature there exist 4 different signature levels. For daily use in healthcare practice three types of signature certificates come into consideration: advanced electronic signatures, qualified electronic signatures and qualified electronic signatures with provider accreditation. Advanced electronic signatures indeed can be easily created and used by the user, but thereby offer weak evidentiary value. To a large extend qualified electronic signatures are equated with handwritten signatures. The highest evidentiary value is offered by qualified electronic signatures with provider accreditation.
5.6 Usage of self-explanatory documents
Because of upcoming migrations and the increasing need to communicate with external facilities (e.g. due to the new integrated medical care) the use of self-explanatory documents should be encouraged. Besides the actual content these documents contain the metadata describing the document and technical data as well as electronic signatures including their verification data.
6. Standardized interfaces between computer-aided documentation, signature and archiving services
The creation, verification and renewal of electronic signatures can be directly implemented into a DMAS, a documentation system or as an independent signature service. With the spreading of the electronic signature the specification of standards for the interfaces between computer-aided documentation, signature and archiving systems in the German Healthcare Sector is of utmost importance. This specification should offer practical support during the introduction of legally compliant digital archiving systems which are based on signed electronic documents. This applies for both electronically created and scanned documents, although scanned documents are not necessarily created inside hospitals, but can also be created by external service providers. Such interfaces would lead to notable cost savings for the user.
As a solution so called XML containers can be used in which the document can store its metadata, its verification data and its technical data “bundled” but also can be transferred between different facilities. Existing standards like e.g. HL7, IHE or the electronic VHitG physician’s letter do not meet the requirements of standardized interfaces between documentation, signature and archiving systems. Thus it has to be analyzed whether one of the existing standards can be extended or a new standard has to be developed. There already exists a first concept developed by the German working group Archiving of Medical Records (AKU) of the German Medical Informatics, Biometry and Epidemiology Society (GMDS). In this concept proposals for the following interfaces have been developed:
- interfaces between document and signature generating systems and archiving systems,
- standardized import and export of particular electronically signed documents and files,
- standardized container for the long term preservation and for the communication with external facilities and scan service providers.
Especially for the preservation of evidentiary value when dealing with electronically signed documents these standards are of vital importance, since they provide vendor independence and allow migration scenarios with assessable costs.
7. Outlook for the coming years
Open issues which haven’t been discussed yet are for example the legal long term preservation of XML documents and database contents as well as archiving with regard towards the introduction of the electronic health insurance card in Germany.
For the introduction of the electronic health insurance card and the integrated medical care there haven’t been developed any concepts for the long term preservation of the generated data, yet. The supply and provision of information amongst involved institutions play a decisive role. The German Law on Modernisation of Statutory Health, in particularly the cross sector communication, the electronic health insurance card and the integrated medical care, but also the gatekeeper model harbor the danger of developing expensive data redundancies. That points out the fact that in the healthcare institutions about 5 billion new documents with annual preservation costs of 2.5 billion Euros are created. Twenty percent of those documents are exchanged across facilities. For that reason investments to provide non-redundant solutions for the computer-aided document management and the digital archiving within the integrated medical care should be reinforced.
Since the privacy authorities and officers usually prevent large central patient data archives to decrease the appetite for data theft, the only possibility left is to create a repository for the card owner on the electronic health insurance card containing links to locally stored documents according to the concept of the electronic case record. There will be no further costs for redundant data storage.
A. English publication
Brandner, R.; van der Haak, M.; Hartmann, M.; Haux, R.; Schmücker, P. (2003):
Electronic signature of medical documents – integration and evaluation of a public key infrastructure in hospitals. In: Haux, R.; Kulikowski, C.: IMIA Yearbook of Medical Informatics. Schattauer: Stuttgart 2004, 321 – 330.
Hollerbach, A.; Brandner, R.; Bess, A.; Schmücker, P.; Bergh, B.: Electronically signed documents in health care – analysis and assessment of data formats and transformation. Methods of Information in Medicine 2005; 44(4): 520 – 527.
B. German publication
Kampffmeyer, U.; Rogalla, J.: Principles of digital preservation, code of practice for the use of document management and electronic archiving systems. VOI German Association for Organisation and Information Systems: Darmstadt 1997.
Roßnagel, A.; Schmücker, P. (Eds.): Conclusive long term archiving. Do electronic signatures offer legal compliance? Economica, Verlagsgruppe Hüthig Jehle Rehm GmbH: Heidelberg, München, Landsberg, Berlin 2005.
Schmücker, P.; Dujat, C.; Häber, A.: Guide for computer-aided document management and digital preservation of medical records in the healthcare system, second extended and revised edition. GIT-Verlag: Darmstadt 2008.
VOI German Association for Organisation and Information Systems; TÜV Information Technology GmbH: PK-DML – Test criteria for document management solutions, second revised edition. VOI German Association for Organisation and Information Systems: Bonn, Essen 2004.