PACIO Advance Directive Interoperability Implementation Guide, published by HL7 International / Patient Empowerment. This guide is not an authorized publication; it is the continuous build for version 2.1.0 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/fhir-pacio-adi/ and changes regularly. See the Directory of published versions
This specification does not require signatures but supports the transmission of signatures if business agreements require them.
Data Consumers may require signatures from a Data Source to attest to the information being exchanged. For example, for a clinician to adequately review and follow a patient's advance directive, the submitted information needs to be signed.12 To comply with these signature requirements, this page documents how to create and verify FHIR Digital Signatures when using advance directives.
Signatures represent different levels of attestation:
Consult with your legal team for questions regarding legal liability associated with sharing and signing data.
The term "electronic signature" means an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.3
The various forms of electronic signatures include:
This guide specifies how to implement digital signatures in the following sections. Specific guidance for other electronic signatures is an implementation detail that is out of scope for this guide.
The electronic signature is a JPG Image that represents this handwritten signature:
Digital Signatures are a type of Electronic signature that meet the following functional requirements:
Digital Signatures employ encryption technology and a digital certificate issued by a certification authority (CA). The encryption ensures the signee has attested to the integrity of the data. A certificate issued by a CA that the Data Consumer trusts ensures that the Data Consumer can trust that the signature is authentic and non-repudiable.
SHALL use JSON Web Signature (JWS)(see RFC 7515) JSON Web Signature (JWS) is a means of representing content secured with digital signatures or Hash-based Message Authentication Codes (HMACs) using JSON data structures. Cryptographic algorithms and identifiers used with this specification are enumerated in the separate JSON Web Algorithms (JWA). 4
Implementers that support XML must be aware that JSON Web Signatures can only be created and validated in the original native JSON. Transforms to and from XML will invalidate signatures.
JSON Signature rules specified in the FHIR specification. (reproduced below for reader convenience): When the signature is a JSON Digital Signature (contentType = application/jose), the following rules apply:
Signature.type
shall contain the same values as the CommitmentTypeIndication element."alg": "RS256"
(preferred) or some other JSON Web Algorithms (JWA) (see RFC 7518)"kty": "RS"
"x5c"
(X.509 certificate chain) equal to an array of one or more base64-encoded (not base64url-encoded) DER representations of the public certificate or certificate chain (see RFC 7517).
The public key is listed in the first certificate in the "x5c"
specified by the "Modulus" and "Exponent" parameters of the entry.Signature.type
- Set to the appropriate signature type, such as an Identity Witness SignatureSignature.when
- System timestamp when signature createdSignature.who
- Reference or identifier of the organization or practitioner who signed itSignature.data
- base64 encoded JWSThe following steps outline the process for verifying the Signature.
signature.data
element"x5c"
key
MLN Fact Sheet: Complying with Medicare Signature Requirements MLN Fact Sheet https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/Signature_Requirements_Fact_Sheet_ICN905364.pdf ↩
CMS signature requirements outlined in the Medicare Program Integrity Manual (CMS Pub.100-08), Chapter 3, Section 3.3.2.4. https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/pim83c03.pdf#page=44 ↩
"15 U.S. Code § 7006 - Definitions", LII / Legal Information Institute". Law.cornell.edu. Retrieved 2021-10-06. https://www.law.cornell.edu/uscode/text/15/7006#5 ↩
RFC 7515 Jones, M., et al., "JSON Web Signature (JWS)", RFC 7515, ISSN: 2070-1721, May 2015, https://tools.ietf.org/html/rfc7515 ↩