Why Document Management Software:
Regulatory and Government Perspectives
Preface
The use of entities’ logos below does not mean they endorse or certify eFileCabinet as a technology facilitating compliance to their standards, directives, acts, or laws. eFileCabinet can only claim full compliance with HIPAA and SEC standards.
What You Need to Know
One of the easiest ways to meet these security demands head-on is through use of a top-rated document management software (DMS). The perspectives of these authorities are not intended to serve as legal stipulations for document management system use, but rather arguments for it.
These arguments are often revealed implicitly in the standards these authorities have developed to accommodate legal issues surrounding information management needs and how these needs can be met via document management software and similar information management technologies.
The Association for Information and Image Management (AIIM)
AIIM notes on its website that ROI, labor savings, printing costs, photocopier costs, lost and misfiled documents, email management, storage costs, improved customer service, improved document security, and disaster recovery strategy are great reasons to go paperless, and use of a document management system can facilitate these benefits.
The Securities and Exchange Commission (SEC)
The SEC’s one caveat to going paperless, whether via a document management system or some other medium, is ensuring information is not compromised or omitted. Going paperless makes SEC audits easier and quicker than the typical 3 to 4-month process should an audit of your organization occur.
Given the SEC’s plan to hire over 200 more staff members to conduct a greater number of audits in 2016, more US organizations are likely to be audited than ever, and paperless document management software will not only expedite auditors’ processes, they will ensure security of information on behalf of the organization, making the audit a less painful process.
What’s more, the SEC plans to implement a Consolidated Audit Trail (CAT) as a national market system so all trading activity can be monitored. Widespread adoption of the document management system would be conducive to this plan, and expedite its implementation.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules
As a compliance requirement, this should always be considered in tandem with document management software and enterprise grade technology use in general. Its most relevant components for document management software users are its privacy and security sections. Each of these rules details security and privacy standards that DMS facilitates and simplifies.
The Privacy Rule of HIPAA describes the technological requirements for confidentiality codes and practices in healthcare, explaining that protected health information (PHI) “should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”
The encryption in DMS’s file-sharing services upholds this HIPAA standard for data and information in transit as well, and is delivered primarily via the client sharing and web portal, SecureDrawer.
The Security Rule of this Act sets forth national standards for the protection of certain health information transferred electronically. The law explains that any entity adopting security standards to better comply with HIPAA regulations should also consider the technical, hardware, and software infrastructure responsible for the organization’s information.
HIPAA’s website outlines the importance of adhering to four technical safeguards, all of which are solidified by document management software use: access control, audit controls, integrity controls, and transmission security.
Enacted to some degree to accommodate the proliferation of DMS and similar technologies, DMS’s built-in security features, which simplify compliance, make following the necessary HIPAA rules easier for contract nurses, healthcare clinics, and hospitals.
More specifically, the HIPAA security rule outlines four mandates: 1) ensure confidentiality, integrity, and availability of all e-PHI (electronically Protected Health Information) that is created, received, maintained, or transmitted; 2) identify and offer protection from anticipated threats to either the security or integrity of information;
3) protect against reasonably anticipated, impermissible uses or disclosures; 4) and finally, ensure compliance by their workforce. Using a document management solution drastically reduces the amount of time and money it takes to ensure compliance with these mandates—freeing room for healthcare organizations to do as they wish with the savings in time they gain.
This is the minimum compliance requirement that should be considered in tandem with document management software use. The Health Insurance Portability and Accountability Act of 1996 is a law addressing many facets of healthcare information, and is only useful to document management system users in its privacy and security sections—both of which detail security and privacy standards that DMS both ensures and simplifies:
The Privacy Rule of HIPAA, which discloses the minimum necessary requirements for confidentiality codes and practices in healthcare, explains that protected health information should not be used or disclosed when it is not necessary to satisfy particular purposes or carry out a function. The encryption in document management software file-sharing services upholds this HIPAA standard for data and information in transit.
On the other hand, The Security Rule of HIPAA established national standards for the protection of certain health information transferred electronically. The law explains that any entity adopting security standards to better comply with HIPAA standards and regulations should consider technical, hardware, and software infrastructure, which DMS simplifies for IT teams.
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Although many hospitals already use EMR or EHR systems, these systems are rendered ineffectual because many hospital patients still demand via HIPAA that their records be mailed to them via snail mail, keeping disorganization inherent within hospitals that have gone “fully paperless.”
Adopting document management software in lieu of EMR or EHR systems will allow hospitals and other healthcare organizations to utilize client sharing portals for their patients, ensuring both the safety of patient information that HITECH demands and paperless business models for patients.
Additionally, a document management system with a mobile app platform helps healthcare clinics and HR departments within hospitals successfully manage the BYOD (Bring Your Own Device) phenomenon.
The Sarbanes-Oxley Act
Although the Act contains 66 sections and 11 parts, section 302 is most relevant to document management software users—declaring that the procedure for preparing reports on an organizations’ financial earnings must be accessible, accurate, and without omission of any sort.
Also relevant to document management software users, section 401 of the act states that “financial statements published by issuers are required to be accurate and presented in a manner that does not contain incorrect statements or omit material information.”
Section 404 is also relevant because it discusses why publishing information in an organizations’ annual reports requires transparency in the divulgence of internal control structures and procedures for financial reporting.
Finally, section 802 of the Sarbanes-Oxley Act is also relevant to document management system users, because DMS helps managers and administrators keep employees from “altering, destroying, mutilating, concealing, or falsifying” records via role based user permissions.
Document management software helps administrators and managers identify whether these documents are being tampered with and who may be tampering with them, whether intentionally or unintentionally.
eIDAS: A New European Union E-Signature Regulation
The goal of eIDAS is to help these 28 members of the European Union recognize and give credence to each respective member’s electronic identification methods—increasing the interoperability of digital transactions across the European Union.
Document management system use, as it advents throughout the EU, can help organizations within this territory abide by and uphold the strictures of this impending legislation, which will take full effect in July of 2016.
The National Institute of Standards and Technology (NIST)
Organizations can prevent cyber security breaches with use of a document management system. NIST Media Relations Director, Jennifer Huergo, notes that “organizations need to be able to recover quickly from a data integrity attack and trust the accuracy and precision of the recovered data.”
Document management software ensures both the accuracy and precision of recovered data, in the rare event it is lost, through automated data backup and restore function. This organization also cares about technology security, and has made the advent of block cyphering encryption important to solidifying DMS’s relevance as a security facilitator for organizations in various industries.
First brought into law in 2001, the AES (advanced Encryption Standard), created by the NIST, emerged in response to the increased threat of security breaches. An important standard for organizations and DMS vendors alike, the tenets of this standard introduced what is not considered the preeminent standard for security algorithms in technology.
This encryption standard upholds block ciphering algorithms as the premier method of encryption for enterprise-grade technology. Relevant to DMS users, the committee selecting the encryption algorithm Standard chose, within the realm of block ciphering encryption, “symmetric keys for encryption and decryption” after reviewing research conducted in cryptographic and security testing laboratories.
DMS users who want to keep customer information secure in rest and in transit should rely upon DMS vendors with these encryption algorithms, and most DMS vendors already have these in place.