Checklist: Ensure Your Document Management Solution is HIPAA Compliant

If you are in any industry dealing with healthcare records, in particular school districts, you are well acquainted with the Health Insurance Portability and Accountability Act of 1996, or HIPAA. In order to protect the privacy of individuals receiving healthcare, this act guides virtually every aspect of information handling.

Any office that handles healthcare records for individuals, such as paperwork for employee health insurance, must ensure that the documentation is handled in compliance with HIPAA. If not complied with, it may lead to fines and, in some case, criminal charges.

Nowadays, many offices elect to use an electronic document management solution to ensure HIPAA compliance. Selecting the right DMS can be a vital part of ensuring an office is HIPAA compliant. Although, not just any DMS will ensure you are HIPAA compliant.

In order for the DMS to be considered HIPAA compliant, it must meet the requirements listed by HIPAA. We will walk through the different requirements outlined in each section to help create a complete HIPAA compliant office.

Access Control

This term refers to software features that allow only the authorized persons to access electronic protected health data. According to HIPAA, all DMS solutions must have the following security measures in place to be considered compliant with their regulations:

  1. Unique User Identification: Software must require verification of a user’s identity before allowing access to documents and information. This can be as simple as a password or PIN, or as high-tech as facial or voice recognition or fingerprint scanning.
  2. Automatic Logoff: The chosen DMS should automatically log users out after a set amount of inactivity. This prevents unauthorized access to information in case a user forgets to log out of the system.
  3. Encryption and Decryption: Data being shared across a network of any kind—public or private—must be encrypted both in transit and at rest. Though HIPAA does not specify an exact level of encryption required, you should look for a system with at least 256-bit encryption. This gives you the highest level of security possible for the data.

Physical Safeguards

The Physical Safeguards focus on physical access to healthcare records irrespective of its location. Healthcare records could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. Companies must have certain physical barriers in place that prevent theft or loss of information, both from intentional attacks and unforeseen natural disasters. The need for physical safeguards applies not only to the place of business, but to the database server that the document management software uses, so you should ensure that the company hosting the data meets the following requirements:

  1. Data Backup and Storage: The DMS should automatically back up all of the information to a remote location, or a Cloud system. If the facility is damaged or lost to fire or a natural disaster, the data will still be preserved.
  2. Facility Security Plan: The server the DMS uses should take certain measures in place to protect their data storage devices. These measures should include the following:
    • Redundant power servers
    • Video surveillance
    • Limited access to servers
    • Fire suppressant
    • Disaster recovery plans

Hosting data in cloud databases such as Microsoft Azure ensure all information scanned or imported into the DMS is safe, secure, and HIPAA compliant.

Administrative Safeguards

The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. These requirements refer to the security measures used to regulate and monitor access to the documents and information. They add restrictions for access to more sensitive documents and help to ensure there are no unauthorized changes.

Here are the requirements that software needs to meet in order to be HIPAA compliant in this category:

  1. Login Monitoring: You should be able to monitor which users are accessing which documents, as well as check who made what changes to the information included. This means the DMS should include features like audit trails and file versioning.
  2. Access Authorization: HIPAA-compliant software should allow you to give different users different levels of access to document and information. For example, an accountant wouldn’t have access to the same information that a CFO has, and a school’s secretary should have more limited access than the HR manager. Access and use should be limited to the “minimum necessary”—the absolute minimum amount of access needed for an employee to complete their duties, and nothing more.

All in All

For an office to be fully compliant with HIPAA’s security requirements, the document management solution must meet the standards for Access Control, Physical Safeguards and Administrative Safeguards.

However, the system will not be utilized properly if users do not follow the processes put in place. Use the training from the chosen DMS vendor to empower employees to follow the HIPAA compliant procedures.

Carry out comprehensive research for each DMS vendor to make sure it meets the requirements listed above.  For more in-depth information for internal procedures, refer to: