What is e-signing? How is it different from signing on paper? How is it different from using the signing device that is sometimes used at the grocery store or pharmacy?
According to federal law, an electronic signature is "an electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." The Electronic Signatures in Global and National Commerce Act (ESIGN) specifies that electronic signatures and records are just as good as their paper equivalent, and
You say that YTC never has or holds my data. When I authorize release of my personal information through YTC, where is my data?
YTC never sees, never has access, and never “holds” your data. We keep a careful and complete record of requests and releases (see FAQ on audit trails below), but we never come into any kind of contact with your data. Where is your data? Until you authorize release of certain data to certain entities at certain times, it is where it has been—at your doctor, your bank, the university you attended, wherever your data has always been. And after you authorize such a release, that portion of your data is conveyed to the organization whose request for the data you have approved, at that time (and only at that time). If you have concerns about how your data will be handled once it arrives at the location you approve, you should ask those questions first. That is, before you authorize YTC to manage the transaction that will send your data to them, you should first specify that the data to be released can only be used for the purposes specified in the authorization.
What is an audit trail? What does it look like? What does it do for me?
While its name may sounds like technical accounting jargon, the “audit trail” is a very important matter. YTC is what is called a “neutral third party.” We manage the process of the release of your sensitive personal information, but we never have or see any of that sensitive personal information itself. What we do have, and keep for at least seven years, is a detailed record of every element of such transactions, every piece of the process of accepting your authorizations, managing requests, and facilitating the transactions. This very detailed record—what was requested, and when and by whom; what, specifically, was released, when and to whom; and which of these requests were refused, and when—is what is called the “audit trail.” Through your YTC membership, this record is kept on your behalf. It is electronic, it is tamper-proof, and while YTC maintains this record, it is yours. You’ll receive each piece of it as the transactions unfold, and because it is yours, you can ask to see every detail of your audit trail history in its entirety whenever you wish to do so.
Why do I need to sign different authorization forms to have my medical information sent from different doctors and hospitals that have given me my medical treatment?
Almost every healthcare provider and provider organization has its own unique “release of information” form. This might simply reflect the way that the provider likes to do things, but nearly every release of information does require a signed authorization. There is also a larger issue. As part of its effort to secure your privacy, in 1996 the United States government set up a basic framework and set of standards for how protected health information (PHI) can legally be released. The law that set this standard was the Health Insurance Portability and Accountability Act (HIPAA). Individual states may, however, establish additional protections and requirements for the release of PHI. This is one of the reasons that an authorization form at the VA hospital will look different than one from a civilian hospital in San Francisco. Every healthcare provider may style and configure their authorization forms as they see fit as long as those authorizations meet the standards set by applicable state and federal law.
I’m told that I am “responsible” for my medical records. I thought that my doctor was responsible for that. What does it mean that I’m “responsible” for my records?
Healthcare providers are responsible for keeping and safeguarding complete medical records that meet the professional standards which guide their practice and for providing those records, at your request, to other healthcare providers from whom you receive care. Healthcare providers may also, under certain circumstances, legally transfer your records to another healthcare provider without your authorization or your knowledge. However, you–the patient—are, in fact, the owner of the data in those records. Providers may, under the law, charge you for photocopying the records they have kept, but as the owner of the record, you have the legal right to review that record and to request that the record be changed (“amended”) if you think it contains errors that are not trivial. You are also responsible for making sure that any provider from whom you seek care is provided with your records from other providers. The growing popularity of what are called personal health records, or PHRs, is in part a reflection of the growing awareness that it is the patient who is responsible for bringing all of the record together, not the provider. It makes sense to keep a copy of the results of any diagnostic tests, such as MRIs, to keep a log of your children’s vaccinations, and so forth. Whether we consider it a good thing or a bad thing, we live in an increasingly “self serve” world, and this includes managing your medical records—no matter where they are stored.
Why is it important that YTC be a trusted intermediary?
We think that the person who should be in charge of your sensitive personal information is you. Sounds great. But at a practical level, how are you going to be in charge? How will you exert the control that is legally yours? You are certainly no match for either the large organizations which hold your personal data or the equally large and powerful ones that often pay for access to your data. So where does that leave you? Technically in charge, and in reality overmatched and somewhat bewildered. You certainly wouldn’t trust an intermediary affiliated with either of those types of organizations. What you need, we believe, is a group of people independent of both data holders and data requestors, people dedicated to preserving your privacy and to seeing that your wishes—the wishes of the data’s legal owner—are carried out, whether that means seeing to it that your data is locked up tight to anyone and everyone, or whether you want some of that information released at certain times, under certain conditions, and to certain people or organizations. We are that group of people, and we are committed to doing precisely that.