Digital Signature - Prior Claim Results

Use Case

The Prior COB Claim Response resource is part of the Claim Response message. This resource includes a sub-set of the adjudication details that will be passed on in downstream claim requests. This provides the secondary payors with the data they need about the prior claims adjudication results.

The Prior Claim Response includes an optional digital signature that can ensure the integrity and authenticity the Prior Claim Response resource. As there is no built-in way in basic FHIR messaging, or any other healthcare message to prevent tampering. the addition of the signature provides protection and ensures that the vendor or pharmacist cannot inadvertently alter the results. Without this protection, there could be incorrect data passed on to downstream payors, which could alter adjuidcation results and potentially result in lower or higher payments. With the protection in place, this may reduce auditing and clawbacks.


FHIR Approach

  • A FHIR Provenance resource conveys the digital signature. Provenance will reference the Prior Claim Response Resource.
  • Primary adjudicator only signs the Prior Claim Response; not the entire message
  • Vendor includes the Prior Claim Response + Provenance as part of the secondary/downsteam claim request
  • The secondary/downsteram adjudicator verifies the signature to detect any tampering, using the public key from the primary carrier

Mechanics

  • A digital signature scheme always comes in two halves: A) Private key → used by the signer (primary adjudicator) to sign the COB ClaimResponse. B) Public key (or certificate) → distributed to the receivers (secondary adjudicators) so they can validate.
  • Pharmacy and/or vendors are simply a passthrough
  • Adjudicators will need to share public keys
  • Signature does not encrypt or hide content.
  • If the Prior Claims Response has been tampered with, the Signature validation will fail.
  • Adjudicators/Networks and their security experts can coordinate and determine the best approach for sharing certificates. The simplest approach may be to use a pre-packaged collection of cryptographic keys or certificates of all trusted parties. Adjudicators can distribute their public key (or cert chain) ONCE to secondary carriers (eg a PDF); every carrier has the same set of trusted keys

Example Provenance Resource

  • target → Prior ClaimResponse
  • recorded → Timestamp
  • agent → Who signed
  • signature → Cryptographic signature (Base64)