Document Management, HIPAA and Compliance

So what is this HIPAA thing, and how does it apply to the management of Documents? Here is my understanding, and an overview of the basic details.

The Health Insurance Portability and Accountability Act (HIPAA) was put in place to protect personal health information and to improve the process of information transfer through standardization. The Act was put in place in 1996 as a "kick in the pants" to the Health Care industry, designed to place requirements on how patient information is handled, transfered and maintained. From a technical perspective there are several areas of focus:

• Standards on electronic transactions
• Standards on code sets for information
• Provision for unique identifiers for employers and providers
• Privacy of individual health information
• Security and Digital Signatures

The first two areas of focus were created to standardize the transmission of administrative and financial healthcare transactions. This definied, standardized format is to be used for any number of transmissions, including claim status, payment and remittance as well as referrals and authorizations (and many others).
From a Document Management perspective, the real impact is on the privacy and security portion. This section is the most controversial, and holds the healthcare entity liable for any breach of patient confidentiality or disclosure of private information. Organizations are required to create privacy policies and procedures and manage the patient records. Below is a summary of the privacy requirements:

• The right for patients to copy and inspect their health information
• Required training for employees on privacy regulations and procedures
• Policies and procedures are required for the disclosure of information and access
• Patient authorization for the disclosure and/or use of private information
• Documentation of access, use and disclosure

These are just a few of the requirements.
An Electronic Document Management System, or Electronic Medical Record System provides the best path to HIPAA compiance. The correct system will maintain proper security, audit all access, and allow policies and procedures to be enforced.
Some additional compliance links at:
Further information on HIPAA and Document Management

Document Management and Security - Continued

In my previous article, I discussed the general security tenets and how to apply them to the planning stages of an ECM/Document Management Project. The focus of this article will be some additional focus areas when examining a system, and what to look for in a vendor.

When evaluating an ECM or Document Management System on its security features and functions, there are five key areas:

Identification
This is the process in which the system identifies the user. Most DMS/ECM Systems have the ability to identify users upon access to the system. This step is key to the below areas of focus.

Authentication
This step verifies and validates the user’s identity. Most ECM/DM software provides the ability to authenticate to standard user repositories (Windows Active Directory and LDAP), but this functionality is usually an additional module, or specialized product.

Accountability
More and more legislation is being passed to ensure organizations can provide audit trails and detailed logs on user activity and record activity within an ECM system. Accountability is just that, the ability of a system to provide a record of all transactions and activity within the repository. This is critical for organizations within certain verticals (health care, finance, etc.). Once again, the majority of products on the market include some sort of basic logging, but there are usually add on modules for “enhanced logging and auditing”.

Authorization
After a user has been authenticated, the system will grant them the appropriate rights and permissions within the repository. This is a critical requirement, as you would not want Operations personnel accessing Accounting or HR files. Some systems provide even further granular control to not only restrict access, but also to restrict the use of certain functions and features within the application. This is accomplished through the use of roles or groups to which users can be assigned.

Privacy
Of all the areas listed, this is usually most difficult, and requires security controls outside of the ECM/DM system. Privacy ensures that all user activity remains private and confidential. This can be accomplished through encryption of all traffic to and from the system, and proper security controls on the workstation and server.


Security is often overlooked when selecting and planning for an ECM/DM implementation. The five areas above comprise key areas of focus when evaluating ECM/DM technologies.

Stephen Boals, CISSP
sboals@scanguru.com
http://www.scanguru.com/