Gearing Up for HIPAA Compliance Audits in IT, Part 6: Document Management

How to prepare for HIPAA audit with document management and EHRsA good electronic document management system is an essential part or complement to an electronic health record (EHR), as well as a copier or printer. Let us be honest – as much as you might want to deal only with e-documents, you will need to handle paper for the foreseeable future. So, if you are facing a HIPAA audit, it is essential to make sure that paper records are handled with as much care as digital ones. In my continuing series on preparing for these new HIPAA audits, I have invited Dennis Porter, our document management expert, to cover issues related to document management, EHRs and PHI (protected health information).

If I put myself in the auditor’s shoes, there are several things I would look at closely when it comes to document management processes and PHI security in health care.

  • Access to PHI. Best practice is to lock down employee access based on network ID – which is the same security as a domain login. So, when a person logs into the EHR or document management software, they are only granted access to very specific pieces of data. Make sure whatever system you are using allows you to restrict access at the category, folder and even document levels.
  • Audit Trail. The best document management systems and EHRs will provide documentation of all actions associated with documents, categories and folders in real time. This audit log will let you see who looked at a document, who changed it, who printed it, who emailed it, etc. And, if someone intentionally or accidentally deletes a document, the system administrator can recover it easily.
  • Server Management Component. This is the system’s security roadmap, and you should look at it carefully to ensure login permissions are right for who is allowed to view, modify, email and print PHI and  other documents. If someone doesn’t have access to a particular folder, then that person should not even be able to see that folder when logged into the document management system.
  • Second Level of Security Passwords. Many good document management systems will offer another level of password protection above the network login. In most business environments, this isn’t necessary. But, if a HIPAA audit is imminent, it’s good if you have this avenue to explore.
  • Internal Policies. These medical document management and EHR security safeguards are only as good as your network administrator and his or her network security. And, they are only as good as your internal policies and how seriously employees take them. For example, if people don’t think about logging in or out before sharing a work station, then you have a bigger problem that no e-security measure is going to fix.

Let me mention that not all document management software is created equally. Some developers – even potentially those who design EHRs – add this facet as an afterthought, a clunky add-on to their software.

You may be tempted to purchase the document management system because, on the surface, it goes along with systems you already have. Before you do that, I encourage you to try it out. If it’s not user friendly, look instead for a good universal document management system that can work with your current program. This can save you lots of headaches down the road, especially if an auditor is knocking at your door.

If you’re a medical provider in the Canton, North Canton, Akron or Youngstown area and need advice on good electronic document management practices, contact us.

Gearing Up for HIPAA Compliance Audits in IT, Part 5: Printer Log Management

Cleaning PHI from your copier and printer hard drivesI know one of the biggest concerns that HIPAA-Covered Entities may have right now – aside from the HIPAA audit itself – is how to ensure that PHI (protected health information) isn’t stolen or stored in a manner that doesn’t comply with the law.

As I continue my series on how to prepare for a HIPAA audit, I’ve invited John Sedlak, our manager of network and managed print services, to explain what you can do to protect PHI that may exist in the logs on your copiers and printers.

There are two ways to handle multi-function printer logs: proactively and reactively. Obviously, being proactive is always better, but sometimes you just need to know how to implement a fix after the fact, especially if an audit is in the works.

The proactive approach to handling electronic PHI:

If you’re going to purchase a new printer or copier, ask for a data security overwrite kit. Some dealers will automatically include this and others offer it as an option.

The overwrite kit “writes zeroes.” What that means is, each time you scan, print, copy or fax information, the application will scrub the hard drive (temp files), replacing that document’s associated binary code (ones and zeroes) with all zeroes, effectively erasing the document from the system’s memory.

If an auditor is looking at this feature (and you can be pretty sure they will), you’ll need to show them proof of purchase, along with a print-out of your system’s configuration page that shows how the overwrite kit works.

The reactive approach to handling electronic PHI:

If your multi-function printer does not have an overwrite kit, you are leaving yourself somewhat vulnerable. Although it’s not easy to steal the information from the copier’s hard drive (crooks need special forensic software to interpret the data), you still want to make sure sensitive information is protected and/or truly deleted. In fact, you’ll probably need to prove this, which requires “hard drive sanitization.”

When you’re ready to get rid of a printer or copier, take it to a facility (hopefully, your dealer provides this service) where they follow strict guidelines for “scrubbing” hard drives properly. Then, be sure you get a letter or certificate of sanitization from the facility that clearly documents this. When the auditor asks, you can show them this proof.

If your office is located in Northeast Ohio (Canton, Akron, Youngstown and beyond) or Western Pennsylvania and would like to learn more about the data overwrite kits and hard drive sanitization services we offer, contact us for more information.