Configuring Acrobat Sign for Healthcare, Life Science & FDA-Regulated Best Practices

Transcript

Let’s go ahead and get started. Hello, everyone. I will bring my camera on stage. Hey, everyone. Nice to see you this morning. Can we go to the next slide, please? Great. This is our webinar on Acrobat Sign for pharma and healthcare and life sciences. These are the speakers that you’ll be hearing from today. I am Dave Stromfeld. I’m a Principal Product Manager.

I’ve been at Adobe over 20 years, a long time. I’ve worked on a number of aspects of our Document Cloud product line. I’m really excited today to share with you all of the great features, settings, and information and resources we have in this area for you. My co-presenter will be Gianna. Gianna, do you want to go ahead and introduce yourself? Sure. Hello, everyone. My name is Gianna De Robertis. I am the Director of Compliance at Montero. I lead the team at Montero that has been collaborating with Adobe for a number of years on all matters related to par 11 compliance.

Great. Let’s go to the next slide.

This is our agenda today. After a couple of minutes of introduction, we will go over an overview of the regulatory landscape. We are then going to give a really great, deep hands-on demo of how to set up sign for your compliance needs. We will then shift over to a simulation of a clinical trial e-signature workflow. So you can see how all of those settings and configurations actually play out in a real live scenario. We’re going to share a whole set of really valuable resources and information that you may want to take advantage of as you’re setting up Acrobat sign. Then we’ll leave some time at the end for Q&A. You can go to the next slide. Speaking of Q&A and how you’ll be interacting with us during this webinar, let me give you some tips and tricks. If you have any technical issues, you can go ahead and usually the best thing to do is to leave the Teams webinar, and then just rejoin the webinar. Usually that will fix any audio or visual issues. If you continue to have any audio or visual issues, don’t worry, we’re recording this and you will get a copy of the recording in your e-mail inbox afterwards. So you’re welcome to take screenshots, but you will get a copy of the recording and in that e-mail that we send you at the end of the webinar, we will also include some of the key links that we are sharing with you. So you will get that in a follow-up e-mail. Questions, we really encourage you to use the Q&A pod and interact with us during the webinar. We have a few people standing by ready to answer your questions. You can click that Q&A icon in the toolbar. You can ask your questions.

If you see a question that somebody has asked and you have the same question, then we really encourage you to upvote it because then what we can do is we can sort the questions and see which questions have been upvoted the most, we will do our very best to answer as many questions as we can and save a few for the Q&A portion at the end. We will also be using polls during this webinar to get your feedback and your input as we go along. So in the spirit of that, Gianna, do you want to go to the next slide? Let me bring up our first poll. Let me find it here.

I’m going to launch the poll and it should pop up on your screen. When it pops up, you can go ahead and choose one of the answers for that poll.

That poll is, how familiar are you with configuring Acromat Sign for Healthcare and Life Sciences? Is this brand new to you? Have you seen or read the video? Have you started to dabble in the configuration and the settings, or are you on the experts side of things? I see the results coming in and it looks like about 40 percent of the people who have responded so far are not that familiar yet, and about 30 percent are somewhat familiar, and the remaining 30 percent of you are a little bit more experienced. So that’s a great overview.

We have some definitely over half of our audience is not familiar or has just started to hear or play with some of these settings. So this will be a fantastic introduction for you. Gianna is going to get into all of the details that you need to know. Go ahead and close that poll when you’re done. Just click the box in the upper right. Gianna, why don’t you take it from here? Yes. If you’re attending this webinar, it’s probably because you are working in the health and life sciences community, and you might already understand that your work is shaped by a wide range of regulatory requirements. But specifically, in the health and life science organizations, there are additional requirements specifically for GSP control. So whether you’re manufacturing drug products, conducting clinical trials, designing medical devices, there are fundamental core regulations that need to be applied, and you’ll be expected to generate electronic records to support the work that you do. If you were to sign these records electronically, at the base, there are federal laws that allow you to do that, and to grant legal validity to those electronic signatures. These core regulations apply to all industries, but on top of that, there are specific regulations specifically for the health and life sciences.

In the United States, 21 CFR Part 11 is the FDA’s regulation that governs the use of electronic records and electronic signatures. This is the cornerstone regulation, and globally, many other frameworks will align to it. The counterpart in the European Union is GMP and XPR. I think it’s confidence that they’re both numbered 11, but currently today, there’s quite some significant differences in the system at large, and it is currently written in a very high-level, principle-based type of language. That can lead to some ambiguity and broad varying interpretations. I think that’s the main reason why we’re going to see coming up real soon in the short term, maybe this summer or in the fall, a new version of NX11 will come into effect. With the new version, we’re going to see that it is completely rewritten with a much more prescriptive approach, much more prescriptive requirements, and specifically, what we’ll see with regards to electronic signatures, that there’s going to be much more overlap. The intent to harmonize NX11 with Part 11 is quite obvious. The update is coming really soon, and so now is really the time to become aware of the draft and start preparing for implementation. Take advantage of the resources that are available to make sure that once it does come into effect, that you do remain and are compliant.

In addition to those regulations for electronic signatures, some of us in the industry are working specifically with health and protected patient information. And so for those organizations, there are some privacy laws, HIPAA regulations that may also apply to you. The three regulations that are highlighted on the screen, NX11 and HIPAA, those are going to be the focal point for today’s conversation.

And we’ll focus on how to configure Acrobat’s Line to comply with these regulations.

Before I dive deep and start discussing the actual setup of Acrobat’s Line, I just want to take a little bit of time to dive deeper into the regulations. I think it’s really important to understand where the regulators are coming from, what motivates them to put these elements out as regulatory requirements, because that’s really going to drive the decisions of how we set up the software solution.

The regulations all converge over common themes and principles, and at the core, what we’re trying to do is safeguard information, establish trust on who did the action, who applied the signature, and to be able to prove it when it really, really matters. The first common principle is non-repudiation. What this means is that the signer cannot credibly deny having signed a record. In other words, once the signature is applied, there must be sufficient controls and evidence or proof in place to be able to tie that action back to that specific individual.

The regulators are going to expect you to be able to reconstruct the sequence of events. Who did the action, when they did it, and possibly even why did it happen? And that will all come together with some controls. Normally we use audit trails to be able to show that the sequence of events that will allow you to reconstruct the story of what happened. But the signature itself is not just about marking up the document.

A truly balanced signature has to reflect a conscious and deliberate act. There has to be an intent to sign. And the system has to be able to show that the signature was applied deliberately and intentionally. And that’s why often in the system you’ll see actions like prompting you to explicitly click on a sign button or an approved step.

And it’ll also prompt you perhaps to indicate the meaning associated with the signature.

Collectively, all of these controls should come up because that’s what’s going to establish the accountability and the traceability that will bring regulatory weight and will allow you to stand up to the scrutiny of an inspection, an audit, or perhaps even a challenge in the court of law.

The second major principle is trust. You have to be able to trust in the signature. It has to be trustworthy and reliable and equivalent to a handwritten signature. And so this is all supported by the concept of data integrity. The signed record has to be accurate and consistent over time, which means that there has to be controls in place to make sure that that snapshot of what was signed there has to be no ambiguity about it, but the sign has to remain intact over the life cycle of the record.

So what that means is that there should be a clear linkage between the signature and the record. The signature should be securely bound to the record so that it almost, you have to be able to prevent signature reuse. You shouldn’t be able to copy it and reuse that signature on other documents.

And you have to be able to be confident that it’s the exact version of the record that was signed.

There has to also be mechanisms to make sure that you cannot alter or modify the signed record. So what was signed has to stay intact. And so there have to be mechanisms that will prevent you from making changes, making deletions, or if any changes do occur that they have to be transparent, they have to be controlled and fully traceable and invalidate the original signature.

Finally, the signature has to be carried out in a controlled and reliable environment. This would involve making sure that there’s authentication steps that you have control over who accesses the system, that you have defined user roles.

And finally also that you have validated your system to show that it is behaving consistently, reliably, and according to your intended needs. Because ultimately it’s a trustworthiness of the signature is really only as good or as strong as the system in which it was created.

So to bolster the trust, it’s important also to protect and secure the information that has been signed. Working in the health and life sciences industry, we’re often dealing with very sensitive information, whether it’s patient data, clinical records, or just even proprietary research information.

So we want to make sure that we are safeguarding and protecting the privacy and the confidentiality of that information. And that means that we are expected to implement controls to be able to restrict access to authorized individuals.

Usually that means using access controls tied to an individual’s roles and user permissions that are associated with or aligned with the person’s job responsibilities.

We’ll also want to make sure that you’re using controls to prevent unauthorized use of the system. So if we’re going to authenticate to the system, we need to make sure that those credentials are protected, that the session is protected as well, that there are session controls, and that overall we’re acting in a way that is more reducing or eliminating the risk of impersonation so that people are not acting as somebody else. And that is really meant to safeguard overall the data from any breaches or misuse, and really make sure that there is no risk of fraudulent or falsified signatures.

And so before I dive deeper to actually show how we put all of this into practice in Acrobat’s Line, I think this is a moment where we’ll just pause first and Dave will take over with another poll question, and then we’ll return and I’ll demonstrate to you how to actually build all of this out in Acrobat’s Line.

Great, thank you, Chiana. Let me bring up our next poll. Let me launch that now. And this poll is a two-parter. It should come up on your screen in a second. And question one is, which regulatory requirements are a high priority for your organization? So if you could check one or more boxes there, then you can click the next arrow in the lower right. And then secondarily, we’re really interested in where are you joining us from? Because that often dictates which regulatory rules are you most focused on following. So folks can go ahead and answer both of those polling questions. I’ll give you 10 more seconds there.

I see answers coming in.

21 part 11 is the big winner so far on the regulatory requirement. That is the high priority for your organizations.

HIPAA is coming in second, and then a good selection of the other ones as well. And as far as where are you all attending from, looks like the vast majority of you are joining us from North America. And then a smaller group from Europe, and then we have some attendees from everywhere else, which is great to see. So go ahead and close that poll when it’s completed, and Gianna, you can go on to the next portion. Thank you.

So how do you get started with all of this? I mean, the obvious first step is making sure that you are subscribed to Acrobat Sign, and make sure that you have the correct subscription. You need to have access to Acrobat Sign Solutions. If you haven’t already done so, contact your Adobe representative, and make sure you secure the rights to use the software. You’ll need an enterprise or business level plan to be able to gain access to all the features and functionality that we’re going to walk through today. The security features and so forth are only available at the enterprise or business level plans. And it is within this plan, once you get started with Adobe, they’ll help you get onboarded and live with the system.

And then once you’re in, you’ll be able to, as an administrator, you’ll be able to walk through some initial set of steps. There is a get started checklist available to you, straight in the application interface that will walk you through the initial steps. And it is right here where if your organization handles or processes protective health information or PHI, this is where you’ll be able to request the business associate agreement for HIPAA. So the BAA, there is a BAA wizard available, and you can request that straight within your initial checklist.

And that’ll start the interaction with Adobe to get the BAA signed. Once it is completed, Adobe will be able to mark your account as being linked to the BAA, and that setting is fixed, and you won’t be able to change that anymore.

And so that is the first step that you’ll need to, one of the first steps you’ll need to carry out if you’re planning to use Acrobat Sign in a HIPAA environment.

All right, the next step, once you get all of these, this initial onboarding out of the way, you’ll be able to go and actually configure all of the settings that are necessary to carry out your business processes, first of all, but also to make sure that the regulatory requirements are met. And these configuration settings are organized under the account settings available to the system administrators. The settings that we’re primarily concerned with are BioPharma settings. These will allow you to control the authentication step, making sure that authentication is enforced at the right time in the signature workflow. And BioPharma settings will also allow you to enforce the reason for signing so that that will be captured in the manifestation of the signature.

We’re also going to be looking at the send settings. The send settings will allow you to control what the sender of the agreement is capable of doing, and will also allow you to mark up what authentication methods are acceptable and allowed for use. Obviously, there’s security settings that we’re controlled about, because as I mentioned, security is a core principle for a legally valid signature. And then there’s also some additional preferences that you can configure, things that will touch on the attachments that are included in emails sent by the system, and also the preferences that you have for what data is captured in the audit trail.

These settings can be configured globally at the account level.

But in practice, we find that it is recommended to leverage the group structure available in Acrobat Sign.

With the group structure, you can carve out unique groups that are basically going to reflect specific business processes. So you can apply unique configurations that are suitable for the business process at hand. What this means is that you can carry out different business processes in parallel without them conflicting with each other. You can configure a business process that needs perhaps less stringent controls, and you might have a specific group configured uniquely with the biopharma settings and the other controls that are more stringent, but expected in the regulated environment of 21 CFR Part 11, and so forth. All right.

So at the start of your setup, when you’re first onboarded with Adobe, you’ll get access to your account, and the account is delivered with one group called the default group. This is the group that’s automatically established, and when a new user is onboarded or added to the account, they will automatically be placed in this group. If you have no other group created in the environment, all the properties that are configured either globally at the account level or at the default group those will dictate the signature workflows for all of the agreements that are originating from that account. So basically the flow is that the sender will be a member of the group, and the properties that are in that group will be reflected on to the signer, and the signer will then sign the document, and the final result will be representative of the settings applied at the default group. If the default group is not configured according to all of the expectations for regulatory control, then that will be reflected in the signature. But to accommodate different business processes, what we generally recommend is to set up multiple groups. You can create additional groups with unique settings specifically for the regulatory and operational requirements needed in the health and life sciences. And so for ease of conversation, we’ll call that the biopharma group, and that is what we’re going to focus on today. The biopharma group will be configured to generate compliance signatures. Now a user can be assigned membership to more than one group and whatever group that this user will send the agreement from, that’s what is going to yield the final result and signature. This is an important point. The signing party don’t really have much influence or any influence on the signature. They’re just going to be invited to sign the document and they’ll live the experience of whatever was sent.

So to attain the signature, it’s important that you remember that the sender is a member of the biopharma group and that they remember to send the agreement from the biopharma group if they’re looking for a compliance signature.

The signers can be internal, they can be external, and if they’re internal, the signers can be in any group. They don’t necessarily need to be in the same group as the sender.

And so what that means in practice is you can have in the same system, different groups that will generate signatures that will look differently. Here’s an example of a signature that was generated from a group or was initiated from a group that was not configured with the biopharma settings and still a legally valid signature. And it includes the printed name of the signer and the time of when it occurred. In contrast, on the right-hand side, you’ll see a signature that was initiated from a sender who sent the document from a group configured with biopharma settings. When biopharma settings kick in, the signature is modified, it looks different, and that’s controlled by the biopharma settings. And what you’ll see is that the printed name of the signer is there, the reason or meaning associated with the signature is there, and the date and timestamp is there. And all that is coupled with a graphical appearance complementary to the core elements that we’re looking for a Part 11 compliance signature. But the core message here is that it’s important that you remember to initiate the agreement from the correct group to yield the signature that you’re looking for.

And so with that, what I’m going to do now is actually jump straight into the system and show you how to set that up.

So we’re gonna go into the demo now, there’s gonna be effectively two demos. First, I’ll start with how to configure the Accorrect Sign account. I’ll be logging in as an administrator to show you how to step through the different settings and set them up as desired. And then that’ll flow into a simulation where I’ll send out a document and show you the whole experience from sending the document and actually signing the document and showing you what the resultant signed document looks like.

So to get started, I am currently logged into the Crobat Sign application as an administrator.

So this user is named Test3. It’s a test user account that we’re using and this user has been granted account administrator permissions. I know that they are an administrator because they gain access to the admin page. On the admin page, you’ll be able to see all of the settings that are available that will control the behavior of the system, what features are exposed and accessible for use, and also how to impact the resultant signature.

What we’re going to do is focus in on the BioPharma group. In this account, you can see that I already have a number of different groups created. And logically, organizations tend to compartmentalize the groups by departments. So you can have the default group, you can have other groups reserved for departments like legal and finance, but we’re gonna zone in on the BioPharma group. In fact, I have two groups here that are configured equivalently. They’ve been configured to match each other. And this is something that is very typical in health and life sciences. They tend to like to have a separate group reserved for validation and training purposes. So for non-operational, non-production use, it’s still a controlled environment. And then once they’re confident that this is, they can test out new functions, they can use it for a formal system validation, they can use it to train their users, and then they’ll replicate the same configuration in a production group to be able to carry out their normal operations.

So we’ll go in and access the production BioPharma group. And you’ll see once I access the group settings, you’ll see that I am at the top of every page, there is an option to override the account settings. And that’s really what’s going to allow us to carve out unique settings for this part 11, sorry, this BioPharma group. We’re gonna go straight ahead and look at the BioPharma settings, because this is really the star of the show.

When you activate BioPharma settings, you’ll be able to control or tell the system, when do you need to enforce authentication? When do you need to intercept the workflow and ask the user to identify themselves to the system? We recommend to challenge the user to authenticate when the agreement is first opened. And this is really just one layer of security to safeguard the content of the record. Think about it like your home, you have a lot of valuable things in your home, and you’ll lock the front door, which generally is sufficient, right? You keep your windows and doors closed at night, and they’re locked to prevent any intruder from coming in. And that generally protects the contents of your home. But sometimes you have things that are especially valuable. And so you might put those things in a safe box or a fireproof cabinet, which is an additional layer of control in an already secure environment. So that’s what this is going to do. This layer, preventing users from opening the agreement unless they authenticate to the system, is just an additional layer to make sure that only people who legitimately have business to view and act on the document will be granted access to view and access the document. So that’s one control that we recommend.

The other enforced authentication step is really to complete the signature. So we recommend setting it up so that the authentication is enforced when you click to sign. And that is really to, coming back to the regulatory requirement or the expectation is really to make sure that the signature itself is deliberate and intentional. If you’re going to make sure that the user authenticates at the time of signature, it is really emphasizing that, yes, this is the moment in time where I’m applying my signature. So that drives it home by putting in their credentials at the time of signature, they’re stamping the document and confirming that they do deliberately want to sign the document. And that is the action that will be captured in the audit trail.

In addition to the authentication controls, Bioform settings will also allow you to configure and enforce the signing reason. We don’t only want them to be allowed to signing reason, we actually want that reason to be obligatory so that it will be captured in the signature manifestation. So we have it set up so the signing reason is required. It is possible to allow users to put in a custom signing reason, which basically is pre-text, but we prefer setting up a standard list of reasons that the user can select from. And the reason for that is because a custom signing reason does introduce a risk of errors. There could be typos, there could be nonsense that is entered and whatever that reason is will officially be stamped in the signature of your formal record. So to avoid that risk, we prefer creating a standard list of reasons. It’ll be presented as a dropdown list. It’ll be consistent and tidy and easy for the signer to use.

Now the Bio pharma settings are going to enforce authentication, but the system doesn’t quite know how to authenticate. And so for that, we need to go to the send settings and we need to establish a handshake with the Bio pharma settings. For that, we’re going to go to the signer identification options. We’re going to make sure that there is a specific authentication method that is specified for each recipient of the agreement.

The agreement, when the user goes to authenticate, they will need to put in credentials. And the way they interact with the system can vary depending on whether they are internal users or external users. So we can carve out different authentication methods for your external parties and for your internal parties. For internal users, it is recommended to set up your account and enable federated IDs so that your users can authenticate using their normal corporate credentials, whatever is already in place with your corporate directory services. And so for that to work, the method that is required is Acrobat sign authentication.

That’ll be compatible with your setup for federated IDs, and that you can get started and configured in the Appian console when you’re initially onboarding with Adobe.

If you’re not using federated IDs, Acrobat sign will require each individual to create a unique username and password on Adobe ID. And at that point, you should also consider configuring additional password controls for password strength and password resets. Those are security mechanisms that are expected to be in place. For your external parties, they won’t be in your directory. So it’s not feasible necessarily for them to be using federated IDs. So you need to tell the system what is acceptable for an external party to use.

So the options, you know, there’s a number of different options available from Adobe. However, not all of them are supported or compatible with BioPharma settings. It’s not possible to use signing password. It is not possible to use knowledge based authentication when you are using BioPharma settings. So just be mindful of that. You can choose the other methods, whatever you prefer.

Phone authentication WhatsApp will require you to submit the phone number of the recipient in addition to the email address. So that makes it a two factor authentication method if that’s what you prefer. Otherwise email one time password and Acrobat sign authentication are just fine to use with the BioPharma settings as well.

Continuing on with the send settings, right below these settings, there is a section called content protection for the content protection feature.

And so what we saw in the BioPharma settings is enforced authentication to view the document before you’re even allowed to sign it. But at the end of the workflow, there is a final signed document and the system will send out an email to all the parties involved to notify them, congratulations, the document is signed. And that by default, the system will include a hyperlink to be able to view that signed document. So again, we’re looking for additional layers of control to protect the privacy and the confidentiality of that content. And so content protection will now be able to allow you to enforce authentication before you’re allowed to view the final signed document.

So that will apply if you’re accessing the document from a hyperlink provided in the email. And the hyperlink in the email is controlled through settings that are available at the group level settings. In the group settings, we’re gonna scroll down to a section that allows us to decide whether or not we want to deliver the final signed document via email. And right here, you can see that it is configured to include a link to view the signed document in the email. And it is grayed out right now because it’s working in conjunction with the enhanced content protection feature.

It is possible to remove the link altogether and use linkless emails if that’s what you prefer. It’s also possible to include as a PDF copy, an attachment to the email, and that attachment will be a copy of the signed document. However, routing documents through email is not necessarily recommended, especially in an environment where we’re concerned about protecting the privacy of individuals. Email is susceptible to data leakage. So if you’re working in a HIPAA environment, it is not advisable to include email, to include the PDF of the signed document as an email attachment. And this is why we have it configured so that there is no attachments. The controls are for attaching the signed document, but you can also decide whether or not the audit report should be attached to the email. And along the same logic, we don’t want to take the risk of leakage through emails. And so we generally configure this to not include the attachment to the email, neither for the PDF of the signed document, nor for the audit report.

Now, on the group settings page, there’s also settings that will allow us to configure our preferences for the audit report. The audit trail in Acrobat’s line is system generated and it is available by default. There’s no way to turn it off. It’s just baked into the system. An audit trail is generated. You can print it in the format of an audit report, which is exportable in a PDF format.

And it’ll generally capture the key events like when the agreement was created, who signed it, when they signed it. But remember the regulatory authorities are expecting you to be able to reconstruct the sequence of events to tell the story of what happened. So it might be sufficient to just, the basic audit report might be sufficient to tell you when it was created, when it was signed, when it was completed. But if you need to track other information, you’re able to augment your audit report with additional settings, according to your preferences and according to your specific process needs for the types of documents that are being handled through the system.

So generally that is the overview of the settings. We can also apply additional settings. There are some settings that are not configurable at the group level. They must be configured at the account level and they globally apply to all users in your account. And I’m specifically thinking of security settings where you can actually define the web session duration. This is the number of minutes of inactivity before the web session logs the user out. I currently have it configured for 90 minutes just to make sure that I’m not logged out while I’m in the session of this webinar. But generally 90 minutes is longer than we typically see.

15 or 30 minutes seems to be typical, but please speak to your security team, your IT security team to see if there are any internal policies or preferences, just knowing that it is configurable, but logging user data is important because that will reduce the risk of somebody coming by your workstation and using the system in an unauthorized way on your behalf.

Also on this screen, you’ll be able to configure document link expiration. And this is a limit on the validity of the hyperlinks that are routed through email. And it’s also meant to secure access or add another layer of security over your ability to access the records. If the link is expired, it doesn’t mean the whole agreement is expired. It’s just your availability to the document through the hyperlink that will expire. And you can always request through the system that a new link be generated.

And so really that is the overview of the setup. Obviously there are many other settings available and you can adjust them and tweak them to meet your specific business needs. But assuming that this is the setup that we’re going to go with, we also need to understand that it’s not just how you configure the environment, but user access controls are also important. And so right now I’m going to navigate to the users page where you can see the list of users. I’m currently logged in as test three, and I’m going to show you user permissions for this user. This user is currently an account administrator. That’s what allowed me to see the admin page. This user is also given permission to sign the document, and you can see they’ve also been given permission to send the document.

And the send permissions are granted for two different groups, the default group and for the BioPharma group.

So I’m now going to change hat, switch from administrator and go into the system as a test three, who will be acting as a sender. As a sender, when you log into the system, you’ll be able to request e-signatures, which will take you to the send page. So not all users will be able to send documents. Not all users will be able to see the send page. It is only users who have been given the permission to send. So this is an example of user access controls and permission management. If you are a sender, you’ll be able to click on the send page and start the agreement. It’s important at this stage, if you’re a member of multiple groups, make sure that you’re sending from the correct group. You can see that I can switch from all the, between all the different groups that I have been granted permission to send from. It’s important to send from the BioPharma group, if you’re looking to obtain a signature that meets your regulatory requirements for part 11 signatures.

And so that’s the first step. Make sure that you’re sending from the correct group. At this point, you’ll be able to upload the document. You can choose the files, or you can just drag and drop. And I have a sample document here ready to go.

Once the document is uploaded, you’ll see that the screen lights up with additional fields and it’s walking you through the step. You have the ability to change the agreement name. Be mindful that the agreement name will appear in the emails that are sent from the system. They’ll appear in the audit report.

So, and by default, it’s taking on the file name of the document that I uploaded. So if you’re thinking about HIPAA compliance, make sure that you’re mindful not to include patient names or any other private information in the file name, because that will be visible throughout the workflow.

You’ll also see that there is a message that is pre-populated here. This message was configured through the group. There are templates in the message templates that we are configuring. And we specifically have configured this message here just to drive home that message that the signature is legally binding and that they are accountable for the actions taken under the authority of the electronic signature. It’s just reinforcing that regulatory expectation that signatures are meant to be deliberate and that there’s an element of accountability tied to that.

At the bottom of the screen, you’ll be able to identify the recipients. I’m gonna go ahead and add one email address for the simplicity for this demonstration. I’m going to add a user.

Only one signature will be requested on this document. And you’ll see that at this stage, I can see that the signer role is assigned. The signer role will expect that a signature be applied by this user. And you can also see that the authentication methods is assigned Acrobat sign. It’s possible to modify the authentication method, but not for this particular user. The reason for that is because this user is an internal user. And remember that we configured internal users to be using federated IDs with Acrobat sign authentication. So there’s no other choices available.

If this user, if this email address was an external party, at that point, I would have a different set of options for the authentication method.

For that point in time.

Excuse me.

It is, if I were to add additional users, I can also manage the signing sequence if I need to order or expect signatures to be applied in a specific order. If the order doesn’t really matter, you can remove that order. And you’ll see that the sequencing disappears and all the parties will be invited to sign in simultaneous order. So in my particular situation, it’s not really relevant because there’s only one party.

So advanced now, I can click on send now.

And clicking on send now will cause Adobe sign to insert a signature field where it thinks it should go. Normally it’s at the end of the document. Typically that’s not where we want it. Typically there’s just precise location in the document where we want the signature to be applied. So we click on preview and add fields. And this will take us to an intermediate authoring stage.

And what you’ll see here is the document. This is a clinical trial protocol that I am going to request the principal investigator to sign. So I’m gonna go straight to the approval page.

And what I’m going to do is make sure that the recipient is highlighted. And I’m going to take a signature field and drag it straight into the location where I want the signature to go. And I can resize this if I want.

And then when I’m happy with the way it looks, I click on send and off we go.

The sender at this date. Hey, Gianna, just wanna do a quick time check. We’ve got about 15 minutes left. Thank you. Yeah, thank you. So there we go.

Oh.

This will prompt the signer to receive an email.

And so I will log in. The signer will be able to see the email that they requested signatures.

They’ll also be able to see the document on their manage page.

And they’ll be able to open and sign the document straight from their manage page or from the link in the email.

And well, you’ll see here is the signature field. They’ll be able to type their name, draw their name if they want. When they’re happy with that, they cannot move forward until they select a reason for signing that is enforced by the biopharma settings. And when all that is done, they’ll be able to submit their signature. And again, biopharma settings kick in and what it means is that the user needs to authenticate at this moment in time.

Because we have set this up with federated IDs, it’s now gonna bounce me to my directory. Services, that takes control. Here it is Microsoft Active Directory or Azure AD.

Of course, what did I do wrong? There we go.

It’s the pressure of people watching you. And because our Microsoft Active Directory is configured to enforce MFA, I am prompted for the code, which I’m entering right now.

And there you go. The signature is complete. And at this stage, both parties will receive an email informing them that the document is signed. And as such, I will be able to go into the manage page and there it is, it’s signed. I am able to view it and you’ll see that the signature is applied and let me zoom in. And you’ll correctly see that the signature has a manifestation as the printed name, the reason for signing and the date and timestamp. From here, I’m also able to download the audit report and I’ll do that real quick.

And the reason why I want to show you this is because the audit report, can be extracted as a PDF.

Trying to bring it onto the screen.

There it is. And what you’ll see is that it contains the history of events, specifically the signature event with who signed it, when they signed it, why they signed it and what signature appearance they used. And really that is the walkthrough of the workflow. And so with that, I’m going to continue with a description of the resources that will help you navigate through your compliance journey.

There is some information available from Adobe. They have a wealth of information available on the Trust Center, including access to all of their compliance certifications and a whole bunch of white papers. So you can go to the Trust Center and filter on Document Cloud. You’ll be able to look for things like SOC 2, which will give you access to the SOC 2 reports, even the SOC 2 plus HIPAA report. And these are all useful, especially when you’re looking at qualifying Adobe as a vendor. You’ll also, if you search on CFR, you’ll also be able to see a couple of white papers with tons of information about 21 CFR Part 11 compliance, and also a handbook, which mirrors a lot of the information that I demonstrated today. So that’s really good. That’s all available to you on the Trust Center. What you’ll also have access to is from Adobe, is their help page, which will give you access to the administration guide, user guide, and also guidance for regulatory requirements. Also on the help X page, you’ll find information about the release management process, giving you access to pre-release notes, release notes and technical notifications.

And so you can, someone will put the link in the help of the help X in the chat so that you’ll be able to navigate through that. And then that is all available from Adobe, you’ll also gain access to documentation that will help you through your validation journey. There’s a validation template package that we have produced for a configured software application, following the standard V model approach that is advocated in the industry. So you’ll have a number of different documents that are provided to you as templates available for you to use, to adapt to your environment, to customize for your organization. And all of that is really available to you at no charge, just to help you get kick-started with your validation process. That’s really important to complete your validation if you’re looking to operate in a compliant manner.

Now CSV is very documentation heavy, as you can tell when you download the package, there are a number of different documents that you would produce. But the current trend is not so much you follow the CSV approach, it’s more now looking at the CSA approach, which flips the V upside down and encourages you to do some critical thinking and reduce the redundancy of some of the work. What Monstrum has done is tested Acrobat’s line, we have documented the test results following our quality system and our validation process, and those results are made available to you, they’re approved by our quality team, but they’re available for you to review, to assess for suitability where there’s overlap with their intended use. And if you think they’re suitable, then there’s a great opportunity for you to leverage them rather than to duplicate the testing effort. And so really that’s meant to give you an opportunity to streamline your validation efforts and to gain access to that content, all you need to do is go to Monstrum’s website, and on the website, you’ll be able to chat with an expert to get some expert advice on what to do, but you’ll also be able to download the package, you fill in the download request form, you can also indicate if you wanna be updated when the package is updated, which we do periodically in accordance with Adobe’s release cycle, and once you submit your download request, you’ll be immediately redirected to a download page where you can again, chat with an expert, or you can download the package with the execution results and the validation document templates.

And really that is cutting it close on time, but that was what I really wanted to show and to drive the message home, what I wanted to conclude with is just a message that there are a lot of materials available for you to help you through your compliance journey. Ultimately, you need to set up the environment correctly, you need to couple that with proper governance to make sure that your environment is controlled and used correctly, and with all of that, it is absolutely possible to use Acrobat sign electronic signatures in a compliant manner.

Amazing, Tiana, let’s go to our last poll here, let me bring that up right now. I am bringing that up on the screen, here it is, let’s launch that. So this is a two-parter, and again, if you can let us know in question number one, for those resources that Tiana shared at the end, which of those resources do you think you’ll explore after today’s session? And then for part two, how much impact do you think that this webinar and this overview will have on your compliance workflows? So folks can go ahead and answer those two questions.

I am seeing that the Trust Center documentation is going to be a big hit, I’m seeing that the help access is going to be very helpful, all of the resources will look like they’re going to be helpful, which is great, and people are saying that they think that this session is going to have a pretty large impact on their ability to meet their compliance regulations and best practices, which is fantastic, so let’s go to the next slide.

This is a survey, so if you folks would all mind just scanning that QR code with your phone, I’m also going to paste that into the chat pod right now, let me find that link, let me go to chat, and let me put that link into, or the Q&A pod, let me put that into the Q&A pod, I will post that, so if you go to the Q&A pod, you will see at the top of the Q&A pod the survey link, we’d love your feedback, we’d love to know what you liked about this webinar, how this webinar could have been more effective for you, and what future sessions would you like to see in the future from Adobe? So if you have other topics about Acrobat Sign that you’d like to see a webinar, let us know on that survey, we’d love to get your feedback. Next slide please, Tiana.

So Q&A, we have a little bit of time at the end here, a couple of minutes, there was one question that came in, Tiana, that I thought would be a good one just to cover, I don’t know if it’s possible, Tiana, for you to go back to your BioPharma admin settings, if not, I will just read the question, which is basically, this came in from Sharv, and they were asking about, for those BioPharma settings around enforcing identity authentication, there was those check boxes, check box number one was challenge the user to authenticate themselves when the agreement is opened, check box number two is challenge the user to authenticate themselves when the signer clicks a signature field in the agreement, that’s in the enforce identity authentication area, and so what Sharv was wondering is, if you could maybe quickly explain the differences between these two and kind of what the recommendations are on how to use check box one versus check box two.

So, the difference, you’ll have to go, have to step through the signature workflow to demonstrate it visually, but you’ll recall when I’d signed the document, I had to click on the field and the signature ceremony opened up where I was able to select a signing reason, so the second check box here will make sure that the user is authenticated before the signature ceremony is initiated, so before they select the reason, before they finalize anything. The last check box will authenticate when clicked to sign, so if you’ll recall, I had to put in my username and password and MFA code, that was only after I selected the click to sign button, so there are differences, the second check box will give you access to the signing ceremony, but you don’t necessarily need to complete the signature, and the last check box was really what’s gonna commit the signature to the sign button, so that’s really what’s gonna finalize the signature and that’s really what’s representative of the application of the signature, and so you could enable all three of them if you want, because that’s gonna be the most robust implementation, but users will complain about that, because just already with the configuration that I have on the screen, what this means is that users will need to put in their credentials twice to be able to finalize one signature on a document, so adding in the third layer is obviously better, sometimes more is better, but it’s a little bit too much for the user experience, and so that’s the reason really why we’ve chosen not to enable that. Great, thank you so much, Gianna. Well, we are right at the top of the hour. Why don’t you go back, if you wouldn’t mind going back to the survey slide, Gianna? Again, if you all wouldn’t mind, just take one minute, give us quick feedback on this session, but let’s wrap it up here. Thank you all so much for attending. Thank you to our star presenter, Gianna from Montrea for giving us this really deep overview, and I really look forward to everyone consuming those resources and reaching out to Adobe, either your support rep or your account rep if you have more questions or more ideas about how we can make this process better for you, but why don’t we wrap it up here? Thank you, everyone, for your time, and everyone, have a great day. Thank you very much.