Knogin
[Developers]

Witnessed Patient Handover with Digital Signature

When a crew transfers a patient to the receiving emergency department, the handover is the moment clinical responsibility moves between organisations. Capturing that moment as a co-signed, cryptographically anchored even

Back to All Modules
Category: ModulesLast Updated: May 5, 2026
modulesblockchain

Overview#

When a crew transfers a patient to the receiving emergency department, the handover is the moment clinical responsibility moves between organisations. Capturing that moment as a co-signed, cryptographically anchored event removes ambiguity over time, content, and who was present, and gives both the ambulance service and the hospital an unforgeable shared record of the exchange.

The Witnessed Patient Handover with Digital Signature module lets the crew and the receiving ED clinician co-sign the ePCR handover on the responder mobile in seconds. Each signature is hashed, cryptographically signed against the encounter snapshot, time-stamped against an external trusted authority, and chained into the immutable witness ledger alongside the canonical incident.

Last Reviewed: 2026-05-05 Last Updated: 2026-05-05

Key Features#

  • Dual-Actor Co-Signed Handover: Both the handing-over crew member and the receiving ED clinician sign the same handover on the responder mobile, producing a single witnessed record rather than two disconnected attestations.

  • Encounter Snapshot Anchoring: At the moment of signing, the ePCR encounter content is frozen and hashed, so each signature is bound to the exact clinical record handed over rather than a later edited version.

  • Cryptographic Signature Chain: Signatures are signed with a modern elliptic-curve scheme and chained into an append-only witness ledger, producing tamper-evident evidence of the handover event.

  • Trusted External Time-Stamping: Each signed handover is sealed with a time-stamp token from an external trusted authority, so the time of handover does not rely solely on device or server clocks.

  • Long-Term Validatable Evidence: The signed handover document is structured so its signatures and time-stamps remain verifiable long after the original session, key material, or device has rotated out of service.

  • Incident-Linked Handover Record: The signed handover is linked to the canonical incident, not just to the encounter, so the full operational timeline of the case carries the handover moment as a first-class event.

  • Receiving Clinician Witness Capture: The receiving ED clinician signs as a named witness on-device, removing reliance on paper countersignatures or after-the-fact email confirmations.

  • Encrypted Signature Storage: Captured signature blobs are encrypted at rest using a current authenticated-encryption profile, so the visual signature itself is protected alongside the cryptographic proof.

  • Standards-Aligned Signed Document: The resulting handover document is represented using widely adopted clinical interoperability resources, so it can be exchanged with hospital systems without bespoke formats.

  • Audit-Ready Evidence Bundle: The signed handover, its hash chain entry, and its time-stamp can be exported together as a single evidence bundle for clinical audit, governance, or legal review.

Use Cases#

  • Routine ED Handover: A crew arrives at an emergency department, presents the patient summary, and co-signs the handover with the receiving nurse before clearing for the next call.

  • Disputed Time-of-Handover Investigation: A later query about exactly when clinical responsibility transferred can be answered with a cryptographically time-stamped, witnessed record rather than recollection.

  • Clinical Governance Review: An ambulance service reviewing handover quality can pull signed handover records together with the canonical incident timeline to assess content, timing, and witnesses.

  • Hospital-Side Reconciliation: A receiving hospital can reconcile its own arrival and triage records against a signed handover record that names both parties and freezes the handed-over content.

  • Cross-Organisation Incident Closure: When closing out a complex incident that crossed agencies, the signed handover provides an unambiguous transfer point between pre-hospital and in-hospital responsibility.

  • Regulatory and Coronial Disclosure: When a case proceeds to formal review, the witnessed handover bundle provides defensible evidence of who handed over what, to whom, and when.

Integration#

  • Responder Mobile ePCR Workflow: The signature flow extends the existing handover screen on the responder mobile so the dual-actor capture happens in the same step the crew already takes today.

  • Encounter Record and Clinical Audit Trail: The signed handover attaches to the encounter as a clinical document and is recorded in the audit trail as a witnessed clinical event.

  • Canonical Incident Timeline: A handover-signed event is logged on the canonical incident, so the operational picture of the call carries the handover moment alongside dispatch, on-scene, and transport milestones.

  • Incident Evidence Attachments: The rendered signed handover document is stored against the canonical incident as a classified evidence attachment, available to authorised reviewers later.

  • Hospital Disposition Feedback Loop: Later disposition feedback from the receiving hospital can be reverse-linked to the same canonical incident, so the handover and the eventual clinical outcome live on a single thread.

  • Trusted Time-Stamp Authority: A dedicated time-stamp client communicates with an external authority so the signed handover carries a token from a source independent of platform clocks.

  • Witness Ledger and Immutable Audit Service: Each signed handover is appended to the Ed25519-chained witness ledger, providing tamper-evident continuity across signed clinical events.

  • Event Stream: Handover lifecycle events are emitted on the platform event bus so downstream systems can react to signed and witness-added events without polling.

Open Standards#

  • Ed25519 (RFC 8032): handover signatures use a modern elliptic-curve digital signature scheme with strong security and compact signatures suitable for mobile capture.

  • SHA-256: encounter snapshots and signature payloads are hashed using a widely adopted secure hash function as the basis for the signed content.

  • AES-GCM 256 (NIST SP 800-38D): at-rest encryption of captured signature blobs uses an authenticated encryption mode aligned with current cryptographic guidance.

  • RFC 3161 Time-Stamp Protocol: signed handovers are sealed with a time-stamp token from an external trusted authority so the time of signing is independently anchored.

  • HL7 FHIR R4 Provenance: the signature, witnesses, and signing context are represented using the standard clinical provenance resource, including the witness signature pattern.

  • HL7 FHIR R4 DocumentReference: the rendered, signed handover document is exchanged as a standard clinical document reference with the hospital and across the platform.

  • eIDAS 2.0 (EU 910/2014 as amended): the handover signature flow is aligned with the advanced electronic signature pattern recognised under the European trust services framework.

  • ETSI EN 319 102-1: the signed evidence is structured to support long-term validation, so signatures and time-stamps remain verifiable beyond the lifecycle of the original keys and devices.

  • CloudEvents 1.0: handover lifecycle events such as argus.handover.signed and argus.handover.witness_added are emitted using the open event envelope so any subscriber can consume them with standard tooling.

  • HTTPS / TLS: all signature, time-stamp, and document exchange traffic moves over the standard secure web transport baseline.

  • JSON: signed handover payloads, witness ledger entries, and event envelopes are exchanged using a common structured format for portability across systems.

Ready to Build?

Get started with our APIs or contact our integration team for support.