Vol. 45, No. 9
Digital signature technology could cut HR's paperwork and speed transactions, such as insurance enrollment.
Joel Neilsen sees a day when his fellow employees at Morinda Inc., in Provo, Utah, will sign expense reports, benefit forms, W-4s and other documents electronically.
Neilsen, chief information officer at Morinda, a health care products marketing company, knows that digital signatures on business documents are not pie in the sky. He is starting a pilot project to allow Morinda and its thousands of distributors to exchange contracts electronically—and sign them electronically. Neilsen wants to replace the paper contract with an electronic one that can be stored in a database.
The distributors are the first step. If paperless signatures work, "It makes sense to do the same thing with our 1,200 employees," Neilsen says. "I was just completing a review for one of my senior managers. It would be nice to fill it out, sign it, forward it to him and have him pass it on to HR electronically."
Neilsen’s dreams put him in a tiny group of technologists and HR professionals who are thinking about electronically signed HR documents. Most companies aren’t using electronic signatures on general business documents yet, let alone on HR documents.
So why should HR professionals burn any brain cells on electronic signatures now? Because the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires administrative simplification for health insurance—and that simplification includes using electronic signatures to show employee approval of certain transactions.
"Some insurance companies and the largest health care providers have started to think about this problem, but very few employers have started to think about what this means to them," says Chris Williams, an attorney in the employee benefits group at the law firm of Gordon, Feinblatt, Rothman, Hoffberger & Hollander LLC in Baltimore.
Electronic signatures may prove to have many HR applications in the future, as Neilsen anticipates. But for now, HIPAA should be enough to prompt HR professionals to learn about the technical, legal and regulatory issues surrounding this technology.
Cutting Paper and Costs
HR professionals will most likely start encountering digital signatures and digital certificates—which secure and verify digital signatures—next year, when the regulations implementing HIPAA take effect. (For more on the technology behind digital signatures, see "What Is a Digital Signature?" on page 100.) HIPAA requires that health care providers, insurance companies and employers conduct certain transactions electronically, Williams says. Reducing paperwork also will save money. The U.S. health care industry spends an estimated $1 billion a month on paperwork.
The U.S. Department of Health and Human Services (HHS) is spelling out the regulations for HIPAA’s requirements for paperwork reduction and published draft rules in the Federal Register on Aug. 12, 1998.
Currently, HHS is reviewing comments on the draft regulations, which include a set of standards for electronic transactions, such as standards for enrolling people in health plans, giving clearance for treatment and submitting payments. Many processes—such as payment for services—won’t require an electronic signature of any kind. But Williams says that some transactions, including insurance enrollment and termination, will require an employee’s electronic signature. "This is one area where HR people will find themselves affected," she says.
Release of the final regulations is expected by the end of this year. But once the regulations are final, the law gives everyone 26 months to get into compliance. "People who haven’t started to think about it will find themselves up against the wall when it comes time to comply," Williams says.
HIPAA will provide some help for smaller employers by establishing clearinghouses to transform paper forms into standard electronic ones, Williams adds.
Can employers relax, relying on their insurers and health care providers to work out the technical details? Not if the employers want to be sure they’re protected. HIPAA holds the insurer and "its agents" responsible for fulfilling the law’s requirements, Williams says, and those "agents" could include the employer.
Laws Back Digital Signatures
HR professionals seeking to learn more about digital signatures are in luck because digital signature technology has been in the news, thanks to attention from legislatures. A recent spate of new state and federal laws supports electronic commerce generally and the use of electronic and digital signatures specifically.
At the end of June, President Clinton used a digital signature on a smart card to sign a federal law that gives electronic signatures of all kinds the same validity as pen-and-ink signatures. The federal law does not specify that digital certificates must be used.
More than 40 states have spelled out some kind of e-signature model, and 16 have approved laws to govern the use of electronic signatures. These and the federal bill will need to be harmonized. The federal e-signature law, in fact, is just a stopgap measure until a majority of the states can approve uniform electronic transactions laws, says Patty Edfors, director of government operations in the U.S. office of Dublin, Ireland-based Baltimore Technologies PLC, another provider of digital certificate technology.
Legislators are ahead of the curve; their eagerness to promote digital signatures is ahead of business’s eagerness to use them, notes Diane Heard, director of HRIS for the University of Pittsburgh Medical Center Health System in Pittsburgh.
"The irony is, the legislation is in place and the technology is in place. What’s curious is I’ve not seen the major [enterprise resource planning system] vendors come out with [digital signature capability] yet," Heard says.
That could be because issuing, storing and maintaining the digital certificates that back and verify digital signatures is no easy task, even though the technology isn’t new.
Acquiring and administering the underlying "public key infrastructure" (PKI) technology can be expensive. Also, the industry is still trying to sort out another problem: One vendor’s servers don’t necessarily accept certificates from another. These problems are being slowly ironed out on a case-by-case basis.
Another challenge: Once a PKI is established and certificates issued, individual applications—e-mail, for example—have to be enabled to use the certificates. The major ERP vendors are only now coming out with toolkits to help enable their applications for digital certificates. PeopleSoft Inc. of Pleasanton, Calif., will offer a toolkit and some integration facilities in its next version, to be released this fall. Other generic toolkits are available to help programmers do their own integration, but the generic kits require some knowledge of cryptography.
PKIs vary from highly customized models, set up and run by the user company itself, to an outsourced model from VeriSign Inc. of Mountain View, Calif. With outsourcing, VeriSign does all the heavy lifting of issuing keys and archiving and securing the public keys on its own servers. The client company handles the business process of determining who gets certificates, how they will be used and the authentication required before a digital certificate is issued.
Other digital certificate and PKI providers include Baltimore Technologies and Entrust Technologies Inc. of Plano, Texas.
Users are just beginning to warm to the technology. These pioneers mostly use digital signatures to replace passwords for use in accessing a network. Most commercial applications of digital certificates are currently in their pilot phase at banks, credit card companies and firms setting up networks with their business partners.
One of the few companies now using digital certificates in an HR application is Agilent Technologies Inc., in Palo Alto, Calif., a test equipment and semiconductor company. Agilent has issued digital certificates from VeriSign to 15,000 of its 40,000 employees. These employees use digital signatures in place of passwords to access the corporate intranet, including the HR web site and the private personnel data available there. Currently, the company does not use digital signatures for approving transactions.
"The majority of our customers aren’t using digital signatures on HR processes," says Bob Pratt, group product manager for VeriSign. HR seems like an obvious application, Pratt adds. "Companies can save hundreds of thousands of dollars just on mailings alone by using digitally signed electronic forms for certain HR transactions," he says.
That may be true, but in most cases it doesn’t make financial sense for a company to focus its use of digital signatures on HR processes alone, says Victor Wheatman, an analyst at Gartner Group Inc. in Stamford, Conn. Wheatman expects that up to 80 percent of large U.S. enterprises will test the use of digital certificates by 2003. He also expects a high rejection rate because many potential users have not figured out uses for digital signature applications that would make the effort of establishing PKIs and certificates worthwhile.
A Simpler Route
Some vendors are beginning to offer solutions that could make digital signature technology easier for users who don’t want to deal with storing and maintaining digital certificates themselves.
Morinda is testing a product called Digital Handshake by iLumin Corp. in Orem, Utah. Digital Handshake allows two parties in a transaction to go to a third-party web site—described as an "online signing room"—where they read the documents for the transaction and sign them with the click of a mouse. The "signature" is based on a digital certificate authenticating the participants’ identities. Digital Handshake stores the documents in an electronic filing cabinet accessible by the approved users.
The user company still needs to work with a PKI provider, but Neilsen says iLumin will walk Morinda through that process. Overall, Morinda’s experience represents a likely pattern for the way other companies might adopt digital signature and digital certificate technology: A business unit will adopt it first before it finds its way into HR processes.
iLumin isn’t alone in figuring out easier ways to bring digital certificate-based security and the accompanying digital signatures to user companies. Several application service providers (ASPs), especially some in the HR application business, are thinking about how the HIPAA rules might affect them. The easiest solution for HR professionals could be that their health insurance providers would link up with one of these ASPs to deliver a complete solution.
The ASP-insurer partnership is exactly how the use of digital signatures in HR will evolve, says Mike Smith, vice president for business development at TALX Corp., a St. Louis-based ASP of HR applications. Smith notes that none of TALX’s clients has requested digital signature capabilities yet, but he says the company is prepared to move in that direction when the demand arises.
Bill Roberts is a freelance writer based in Los Altos, Calif., who covers business, technology and management issues.