compliant-seal-content-central-logo
parallax layerparallax layer

HIPAA and DMS

When it comes to healthcare, privacy is rule number one. It’s such an important rule that in 1996 the US Department of Health and Human Services created HIPAA, the Health Insurance Portability and Accountability Act.

If you handle protected health information, (PHI or ePHI for “electronic” data), you probably already know about being HIPAA compliant. In fact, the one thing you’re most aware of is that if you fail to meet compliance you’ll be facing hefty fines, criminal charges, or even jail time… so getting this right is your top priority.

Compliance

Generally speaking, there are 4 rules to consider for meeting compliance, but not all of these are considerations for the software you choose.

Privacy Rule

Security Rule

Enforcement Rule

Breach Notification Rule

To start, we’ll look at the features your next document management system must have. The first thing of note is what’s ‘required’ versus what is annotated as ‘addressable’. Those specifications labeled ‘required’ must be implemented or it will be deemed an automatic failure to comply with the HIPAA Security Rule. Conversely, those labeled ‘addressable’ must be implemented if, after a risk assessment, the covered entity has determined that the specification is not reasonable and appropriate. If you decide this and then choose to not implement the specification, you must document your rationale for the decision and either:

Option 1

Implement an equivalent alternative that is reasonable and appropriate, or

Option 2

If you choose to not implement either, then you must also document the rationale for this decision

There’s a catch though. Even if you document your decision and you are audited, the auditor can decide that they do not agree with your decision, and you are the one that faces the penalty. If you are in doubt, it’s probably best to go ahead and implement the ‘addressable’ specifications since most of them are best practices anyway.

HIPAA Security Rule

Remember those four rules for meeting compliance I mentioned? Well, when it comes to software-related items in that list, you’re really only concerned with the Security Rules when looking at what DMS to buy. The Security Rule is made up of 3 parts

Designed to be technology-neutral, these safeguards focus on the technology that protects PHI/ePHI.

Technical Safeguards

Designed to be technology-neutral, these safeguards focus on the technology that protects PHI/ePHI.

These safeguards focus on securing the physical access to PHI/ePHI with things like backups and facility security plans.

Physical Safeguards

These safeguards focus on securing the physical access to PHI/ePHI with things like backups and facility security plans.

Centered around administrative components, these safeguards are used to regulate and monitor access to PHI/ePHI.

Administrative Safeguards

Centered around administrative components, these safeguards are used to regulate and monitor access to PHI/ePHI.

All 3 parts include implementation specifications for using software, but do not necessarily mean that the DMS you choose would logically have a hand in everything that is required here. Hosted or cloud solutions will need to cover areas in the Physical Safeguards section that other solutions will not.

Some policies and procedures that are requirements for compliance fall on users or admins in your company, so you’ll need to understand the requirements and how DMS can help you meet compliance.

Technical Safeguards

The Technical Safeguards focus on the technology that protects PHI and controls access to it. Security standards were designed to be technology neutral, so as to cover a broad spectrum of software solutions. There are 5 standards listed in this section. When implementing your DMS you’ll be looking at how features in the software meet these 5 standards.

Access Control

Software features that help prevent unauthorized access to ePHI fall in this category. The software must verify the user’s identity before allowing access to documents and information and automatically log users out of the program after a set amount of inactivity.

The covered entity, (that’s you), is responsible for establishing emergency access procedures to allow the use of a special password by the Security Official for your company/office/etc. to have full access to ePHI during emergency situations. So, you’re looking for these features in your DMS

(*required) A unique name and/or number for identifying and tracking user identity

Unique User Identification

(*required) A unique name and/or number for identifying and tracking user identity

(*addressable) Automatic termination of an electronic session after inactivity

Automatic Logoff

(*addressable) Automatic termination of an electronic session after inactivity

(*required) Procedure for obtaining any ePHI during an emergency.

Emergency Full Access

(*required) Procedure for obtaining any ePHI during an emergency.

contentcentral-tip-icon

How Does Ademero Measure Up?

With Content Central, each user is unique and can be configured to automatically logoff after a set amount of inactivity.

Also, Content Central administrators have full access to each user’s ePHI in case of emergency.

Audit Controls
(*required)

Covered entities are required to have in place audit controls to monitor activity on software systems that contain ePHI. The ability to monitor

are the main features you’re looking for in your software to meet compliance and must be as close to real time as possible to be useful. You will also need a policy in place within your company/office/etc. to regularly monitor using tools provided in the software; tools like

Tool 1

Document History - including updates, edits, etc. to any document

Tool 2

Event Logging - including user access, incidents, etc. system-wide

Tools and features could be named differently depending on your software solution, but must cover these basic needs outlined above.

contentcentral-tip-icon

How Does Ademero Measure Up?

Ademero‘s detailed system auditing and event logging allows you to track logon and logoff activity, file access, updates, edits, and helps you identify potential security incidents before they happen.

Each document has it’s own extensive auditing through our Document History that monitors other common file tasks as well like copying, checking in and out, downloading, and more.

Integrity - Mechanism to Authenticate ePHI
(*addressable)

This can be aided by your software, but the standard itself is about ensuring the ePHI has not been altered or destroyed in an unauthorized manner. If your software has event logging and document history, then you have the features you need to meet this goal with whatever policy or procedure you put in place.

Authentication
(*required)

If the software features password protection and automatic logoff mentioned in section 1 above; Access Control, then the software includes whatever tools you need to meet this standard.

Transmission Security - Integrity Controls
(*addressable)

Designed to ensure that security is in place for the ePHI, measures must be taken to guard against unauthorized access to ePHI that is being transmitted over any electronic communications network.

This solution can vary, but ultimately boils down to things like firewalls and intrusion detection systems which fall in the wheelhouse of the facility maintaining your network; see Physical Safeguards below for more info.

Transmission Security - Encryption and Decryption
(*addressable)

For the sender of ePHI, encryption converts the message in a file or document from a readable to an unreadable format. Decryption is the reverse.

While not annotated as required, under HIPAA, every breach of unencrypted ePHI requires you to provide time-bound notifications to affected patients, the Secretary of HHS, and/or prominent local/state media outlets which would put you at risk for fines, lawsuits, bad PR, and more.

The good news is that under the Breach Notification Rule, ePHI that is encrypted is not considered breached because it cannot be read or otherwise used without the key(s) required to decrypt it.

So, though this one’s not required, it’s a best practice to have this feature included in your software to protect any data being sent across your network, or ‘in transit’.

contentcentral-tip-icon

How Does Ademero Measure Up?

Data security is one of the top reasons users choose Ademero. Whether files are at rest or in transit, data is encrypted with tools like SSL and protected against unauthorized intrusion.

Physical Safeguards

The next set of rules and guidelines focus on the physical access to ePHI. Physical Safeguards like data backups and facility security plans are applicable for whoever is managing your server; the machine that’s housing your data and the DMS software. There are 4 standards in this section

Facility Access Controls

Workstation Use

Workstation Security

Device and Media Controls

When it comes to the physical protection of data, there are many requirements from backup power generators to video surveillance, and beyond. Sensitive healthcare information and documents must be kept secure from both human and environmental threats.

Most cloud-based systems are often already located in facilities that meet this level of physical safety as well as the requirements below.

Facility Access Controls

Your Security Official is responsible for ensuring that this specification is implemented and in place, whether it’s being handled by your hosting company or in-house. There are 4 parts to this specification below

(*addressable)<br />
Establishing procedures to restore ePHI should it experience a disaster or an emergency related to its physical location.

Contingency Operations

(*addressable)
Establishing procedures to restore ePHI should it experience a disaster or an emergency related to its physical location.

(*addressable)<br />
Establishing procedures that safeguards the facility and equipment from unauthorized physical access, tampering, and theft.

Facility Security Plan

(*addressable)
Establishing procedures that safeguards the facility and equipment from unauthorized physical access, tampering, and theft.

(*addressable)<br />
Establishing procedures to control and validate a person

Access Control & Validation Procedures

(*addressable)
Establishing procedures to control and validate a person's access to facilities based on roles and functions.

(*addressable)<br />
Establishing procedures to document repairs and other maintenance to the physical components of a facility.

Maintenance Records

(*addressable)
Establishing procedures to document repairs and other maintenance to the physical components of a facility.

Workstation Use
(*required)

This safeguard requires policies and procedures to protect ePHI on the workstation level; ensuring that they are used appropriately, used properly, and in what physical environment access to ePHI is permitted.

Workstation Security
(*required)

This standard is centered around the implementation of physical safeguards for all workstations that have access to ePHI to restrict access to authorized users. The solution is dependent on the covered entity’s risk analysis and risk management process, so it can cover a variety of solutions to meet your specific needs.

Device and Media Controls

This standard requires policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility along with the movement of these items within the facility. There are four specifications within this standard

(*addressable)<br />
Establishing procedures to address the final disposition of ePHI, and/or the hardware or electronic media in which it is stored.

Disposal

(*addressable)
Establishing procedures to address the final disposition of ePHI, and/or the hardware or electronic media in which it is stored.

(*required)<br />
Establishing procedures for removal of ePHI from electronic media before the media is made available for re-use.

Media Re-Use

(*required)
Establishing procedures for removal of ePHI from electronic media before the media is made available for re-use.

(*addressable)<br />
Establishing and maintaining a record of the movements of hardware and electronic media and any person responsible.

Access Control & Validation Procedures

(*addressable)
Establishing and maintaining a record of the movements of hardware and electronic media and any person responsible.

(*addressable)<br />
Establishing a retrievable and exact copy of ePHI, when needed, before movement of equipment.

Data Backup and Storage

(*addressable)
Establishing a retrievable and exact copy of ePHI, when needed, before movement of equipment.

Ultimately, hosted solutions can be a great way to save on the expense of having to implement physical security solutions in-house; see hhs.gov for more information on implementing physical safeguard requirements.

contentcentral-tip-icon

How Does Ademero Measure Up?

Ademero works closely with Google Cloud Platform to provide secure data-center facilities for your documents and information.

Pairing with such a trusted name has significant benefits for our hosted customers like third party auditing, trusted infrastructure and facility controls, and compliance with numerous standards beyond those for HIPAA Compliance.

Administrative Safeguards

The final category of safeguards is centered around the security measures used to regulate and monitor access to your documents and information.

The administrative components are very important with HIPAA compliance and outlay guidelines like assigning an in-house Privacy Officer, performing annual risk assessments, employee training, reviews of policies and procedures, executing BAA’s, and more.

administrative-safeguards-standards

The list of requirements in this section is extensive, but as it pertains to software there are just a couple of features that the software would need to include which are closely tied to requirements outlined in the Technical Safeguards section above.

Login Monitoring

(*addressable)
While the act of monitoring requires policies and procedures within your company, the software should provide tools for such a task.

Password Management

(*addressable)
The requirement specifically is calling for procedures to be in place at your company for password management, but the ability in the software that allows for password changes, creation, and protection are features that are needed in order to meet this standard.

Response and Reporting

(*required)
This standard mandates that security incidents must be identified, documented, and responded to in a timely manner. Software can help meet this requirement with features like document history and system event logging.

Keeping it Simple

The hard part about HIPAA is knowing exactly what it takes to be compliant with whatever software you choose, but it doesn’t have to be. It’s actually pretty simple from the software side, which should help you narrow in on the one you want to purchase pretty quickly. When you boil it down, HIPAA is asking for 4 things with all these rules and regulations.

• Put safeguards in place to protect PHI and ePHI.

• Reasonably limit use and sharing of information to the minimum number of people necessary to accomplish your goal.

• Have agreements in place (BAAs) to ensure service providers that perform covered functions for you do not disclose PHI and safeguard it appropriately.

• Have procedures in place to limit access to PHI and a training program in place to train employees on protecting this sensitive information.

When it comes to picking a DMS, there are several features you’ll need in order to meet compliance. Individual software might call these by different names, but in the end, you’ll be looking for features that provide

Unique User Identification

Password Protection

Automatic Logoff

Transmitting Data Encryption & Decryption

Complete Electronic History of Documents

System Event Logging

Login Monitoring

If you’re using your DMS provider to host your system on the cloud, then you’ll also be looking for the requirements for Physical Safeguards like

Data Backups

Redundant Power Servers

Disaster Recovery Plan

Physical Security

Video Surveillance

Fire Suppressant

Limited Access to Servers

When it’s all said and done, you’ll be looking for much more out of your DMS than just an electronic version of a file cabinet. You’re looking for a robust and simple solution that meets all your needs at one low price. One that’s fast to implement, has all the features you need, with a snappy user interface that’s easy to use and understand.

Content Central will keep your office moving with features that do more than just help you meet HIPAA compliance. But don’t just take our word for it, give it a try yourself and see your customized solution in action.

Download a free trial of our Document Management Software today to see just how Content Central works for meeting HIPAA Compliance.

Download Trial

Download a free trial of our Document Management Software today to see just how Content Central works for meeting HIPAA Compliance.

Schedule a personalized demonstration today to see exactly how Content Central can help you meet HIPAA Compliance today.

Schedule a Demo

Schedule a personalized demonstration today to see exactly how Content Central can help you meet HIPAA Compliance today.

Learn more about Content Central and how it will help you meet HIPAA Compliance with videos, brochures, and other downloadable information.

There's More to Discover!

Learn more about Content Central and how it will help you meet HIPAA Compliance with videos, brochures, and other downloadable information.

If you’d like to download a PDF copy of this webpage, click the button below.