Protecting Your Data, Your Employees, and Your Organization
The objective of this article is to identify how you can leverage your document management system to not only help protect confidential healthcare information, but also to help protect you and your organization from the penalties of non-compliance to Health Insurance Portability and Accountability Act (HIPAA) regulations.
If your organization provides healthcare to individuals in the United States, then it’s almost certain you are affected by HIPAA security rules. Under HIPAA, the United States Department of Health and Human Services (HHS) established a stringent set of rules for document and data security to protect the privacy of healthcare information.
Some organizations incorrectly assume that these rules only apply to doctors, health insurance companies, and hospital administrators. However, any individual or organization that collects, stores, holds, processes, or even has access to an individual’s personal health information is responsible for protecting that information, even if they’re not considered a “covered entity” under HIPAA. HIPAA violations can lead to very severe financial penalties, and in some cases, even criminal charges and incarceration. Even on-boarding applications given to your employees when they sign up for health insurance qualify as access to personal health information, and even though you may not be a “covered entity,” your organization is responsible for protecting that information.
HIPAA Overview
HIPAA security standards are categorized into 3 specific areas of “Safeguards”: Administrative Safeguards, which deal with organizational policies and procedures1; Physical Safeguards, which deal with the physical security of systems and information2; and Technical Safeguards, which deal with the electronic security of systems and information3.
It is important to note that it is not possible to create software that will automatically guarantee compliance with all HIPAA security requirements. Many of the Administrative and Physical Safeguards are focused on aspects of security that are not affected by systems and software. However, there are several areas, including data backup, and disaster recovery, where your document management system can help you avoid potential problems by ensuring security for personal health information and helping you comply with HIPAA regulations.
Data Backup
The HIPAA Administrative Safeguards require covered organizations to have a data backup plan in place to ensure that personal health information is secure and protected in the event of some kind of systems failure. Your document management system can help provide security and compliance in two ways: Firstly, if you have all of your data on-site, many systems can help you implement secure, encrypted off-site backup, which occurs automatically according to your specifications. Secondly, with some vendors, you can implement your entire document management system in the Cloud. With these systems, not only are your backups automatically fulfilled, but you also gain the benefit of the enhanced physical security that most independent, SSAE (Statement on Standards for Attestation Engagements) No. 16-verified data centers provide.
Physical Safeguards
Imagine HIPAA Physical Safeguards as the physical barrier between your healthcare information and anyone or anything that threatens to physically destroy or access it. For most small businesses and organizations, it can be quite expensive and often impractical to implement the level of physical security required to comply with or exceed HIPAA regulations. Imagine having to implement the following physical security capabilities to protect your systems that contain sensitive data:
- Power conditioning
- Strict environmental controls
- Redundant network connections
- Natural disaster protections
- Backup power generation systems
- Personnel access controls
- Intrusion detection
- Video surveillance
- Fire detection and suppression
- Offsite backup
However, as mentioned earlier, most Cloud-based document management systems are hosted in facilities that provide state-of-the-art physical security and protection against anything from a natural disaster to a power outage. In the best situations, your supplier’s data center may already have received HIPAA certification for their physical safeguards.
For organizations with on-premise document management systems, physical safeguards can be significantly more challenging. Some on-premise document management systems have very useful physical security features that align directly with their document management systems. For example, a document management system that provides automatic backups to a cloud-based server will effectively provide two benefits: Firstly, it fulfills the need for basic data backups, and secondly, it provides off-site storage for those backups.
However, on-site systems will still require significant effort to develop internal policies and procedures to physically protect sensitive information. Features such as uninterrupted power supplies and personnel access controls are a good place to start, but demand preparation for additional investments. A more in-depth analysis of physical security concerns can be found in our white paper titled “Crucial Document Management Security Concerns—Online and On-Premise.”
Emergency Operation and Disaster Recovery
Most employers are not sufficiently prepared for emergency operations or even disaster recovery. But consider this: What if one of your employees is injured in a fire at in your building, and it also happens to destroy the system containing critically important healthcare information for that employee? How are you going to recover that information? Since healthcare information is so important, HIPAA Administrative Safeguards also require covered entities to have a plan for secure access to personal health care information under emergency conditions, as well as a plan for disaster recovery. The best Cloud-based document management systems will ensure secure access to your critical data in a disaster situation and make it dramatically easier to plan for and recover from that disaster. Not only will it save you a lot of money in the event of a disaster, it will save your employee’s personal information.
Access to Information
HIPAA regulations define Technical Safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”3 In other words, Technical Safeguards are the measures you take to protect sensitive health care information when it is inside your system or being transmitted to or from your system. The good news is that the best Cloud-based services have processes in place to address many of these issues. Some on-premise systems from the best suppliers also cover many areas fairly well. However, if you have home-grown systems with highly sensitive information, you may have to keep up with this fast-moving area of security on your own. In order to meet or exceed the HIPAA requirements, you will want to make sure your system includes most, if not all, of the following capabilities:
- Proper user ID and password administration capabilities will help you ensure that all users are uniquely identified and that their passwords are sufficiently secure and periodically changed.
- Role-based account access and security will help ensure that only those individuals with proper authorization can access certain kinds of sensitive information. The best systems will allow you to implement multiple levels of access depending on the role of the user.
- Group-based access management will allow you to define groups of users and grant differing levels of access by group.
- Data redaction capabilities can dramatically increase usability by providing the ability to redact individual words or sentences in documents. This capability allows users with lower levels of clearance to view and work with a particular document while preventing them from viewing more sensitive areas of that document.
- Emergency access procedures ensure that information can still be securely accessed in an emergency situation.
- Automatic log-off capabilities help secure your sensitive data in case someone leaves a workstation unattended.
- Data encryption and decryption capabilities ensure that sensitive information cannot be viewed or interpreted without the correct encryption keys. The best systems use 256-bit encryption.
Audit Trails
Clear audit trails are another provision of the HIPAA regulations. Proper audit controls will record all activity pertaining to sensitive data, and particularly any activity which changes or captures information. In some cases, the logs generated by your document management system’s audit controls can be used directly for HIPAA compliance reporting. In addition, proper audit controls are extremely important when investigating potential security violations. Solid audit controls is something that should be included in all good document management systems, whether on-site or Cloud-based.
Data Integrity
HIPAA requires that policies and procedures be put in place to ensure that sensitive information is protected from improper alteration or destruction as a result of intentional or unintentional actions on the part of workers, or from technical causes such as media errors. Your document management system will need to have mechanisms in place to help identify or discover such errors when they happen. The best systems have electronic mechanisms that include elements such as check sum verification, digital signatures, or other electronic verification tools to automatically check for data integrity whenever the data is accessed or transmitted.
Identity Authentication
Under HIPAA, the organization must have procedures to verify that a person or entity seeking access to sensitive information is in fact who they claim they are. This can be as simple as a password or pin, some kind of card or key, or in some cases, it might be as sophisticated as the facial recognition or other bio-metric methods. Some of the best document management systems will provide in-depth authentication mechanisms within the software, in addition to easily allowing the integration of third-party authentication hardware.
Security During Data Transmission
HIPAA requires that the organization implement security measures to prevent the unauthorized interception of or access to sensitive information that is being transmitted over a network, whether it is an internal network or public network like the internet. As mentioned above, steps need to be taken to ensure that data is not corrupted (data integrity) during transmission, and nearly all document management systems handle this in the proper fashion.
The other aspect of data security during transmission deals with encryption and decryption. Unless data is properly encrypted prior to transmission across a network, it can often be intercepted and interpreted. Sophisticated encryption algorithms can prevent the data from being interpreted, even if it is somehow intercepted. The best document management systems use 256-bit encryption algorithms.
Summary
If you handle personal health information, even if it is just for your own employees, it simply makes good business sense to ensure that the information is secure. If you are a “covered entity” as defined by HIPAA, you are required to comply with HIPAA Security Standards. The failure to implement proper security in either case can have extremely serious consequences for your employees or customers and could potentially result in very damaging civil penalties or even criminal charges. In today’s environment, threats to your sensitive data are rapidly increasing. By ensuring your document management system can simplify HIPAA compliance requirements, you are dramatically reducing company risk while also providing confidence to your customers.
References
1—Security Standards: Administrative Safeguards, HIPAA Security Series, US Dept. Of Health and Human Services
2—Security Standards: Physical Safeguards, HIPAA Security Series, US Dept. Of Health and Human Services
3—Security Standards: Technical Safeguards, HIPAA Security Series, US Dept. Of Health and Human Services