If I put myself in the auditor’s shoes, there are several things I would look at closely when it comes to document management processes and PHI security in health care.

• Access to PHI. Best practice is to lock down employee access based on network ID – which is the same security as a domain login. So, when a person logs into the EHR or document management software, they are only granted access to very specific pieces of data. Make sure whatever system you are using allows you to restrict access at the category, folder and even document levels.
• Audit Trail. The best document management systems and EHRs will provide documentation of all actions associated with documents, categories and folders in real time. This audit log will let you see who looked at a document, who changed it, who printed it, who emailed it, etc. And, if someone intentionally or accidentally deletes a document, the system administrator can recover it easily.
• Server Management Component. This is the system’s security roadmap, and you should look at it carefully to ensure login permissions are right for who is allowed to view, modify, email and print PHI and  other documents. If someone doesn’t have access to a particular folder, then that person should not even be able to see that folder when logged into the document management system.
• Second Level of Security Passwords. Many good document management systems will offer another level of password protection above the network login. In most business environments, this isn’t necessary. But, if a HIPAA audit is imminent, it’s good if you have this avenue to explore.
• Internal Policies. These medical document management and EHR security safeguards are only as good as your network administrator and his or her network security. And, they are only as good as your internal policies and how seriously employees take them. For example, if people don’t think about logging in or out before sharing a work station, then you have a bigger problem that no e-security measure is going to fix.

Let me mention that not all document management software is created equally. Some developers – even potentially those who design EHRs – add this facet as an afterthought, a clunky add-on to their software.

You may be tempted to purchase the document management system because, on the surface, it goes along with systems you already have. Before you do that, I encourage you to try it out. If it’s not user friendly, look instead for a good universal document management system that can work with your current program. This can save you lots of headaches down the road, especially if an auditor is knocking at your door.

If you’re a medical provider in the Canton, North Canton, Akron or Youngstown area and need advice on good electronic document management practices, contact us.

As I continue my series on how to prepare for a HIPAA audit, I’ve invited John Sedlak, our manager of network and managed print services, to explain what you can do to protect PHI that may exist in the logs on your copiers and printers.

There are two ways to handle multi-function printer logs: proactively and reactively. Obviously, being proactive is always better, but sometimes you just need to know how to implement a fix after the fact, especially if an audit is in the works.

The proactive approach to handling electronic PHI:

If you’re going to purchase a new printer or copier, ask for a data security overwrite kit. Some dealers will automatically include this and others offer it as an option.

The overwrite kit “writes zeroes.” What that means is, each time you scan, print, copy or fax information, the application will scrub the hard drive (temp files), replacing that document’s associated binary code (ones and zeroes) with all zeroes, effectively erasing the document from the system’s memory.

If an auditor is looking at this feature (and you can be pretty sure they will), you’ll need to show them proof of purchase, along with a print-out of your system’s configuration page that shows how the overwrite kit works.

The reactive approach to handling electronic PHI:

If your multi-function printer does not have an overwrite kit, you are leaving yourself somewhat vulnerable. Although it’s not easy to steal the information from the copier’s hard drive (crooks need special forensic software to interpret the data), you still want to make sure sensitive information is protected and/or truly deleted. In fact, you’ll probably need to prove this, which requires “hard drive sanitation.”

When you’re ready to get rid of a printer or copier, take it to a facility (hopefully, your dealer provides this service) where they follow strict guidelines for “scrubbing” hard drives properly. Then, be sure you get a letter or certificate of sanitation from the facility that clearly documents this. When the auditor asks, you can show them this proof.

If your office is located in Northeast Ohio (Canton, Akron, Youngstown and beyond) or Western Pennsylvania and would like to learn more about the data overwrite kits and hard drive sanitation services we offer, contact us for more information.

In my ongoing blog series about this complex topic, I am focusing a good bit on the responsibilities of Business Associates as defined by HIPAA and HITECH because that is our biggest area of concern at Graphic Enterprises. Our office equipment – including many different models of Konica Minolta printers and copiers, as well as associated electronic document management systems – is hard at work in many health care offices throughout Ohio and Pennsylvania; documents containing PHI (protected health information) are scanned, printed, faxed and emailed every day. And, I expect to hear from those offices in the coming months, asking us to provide detailed information about how our office equipment meets the requirements of the Security Rule.

Whether you currently use a multi-function printer or copier – or are in the process of looking for a new one – as a HIPAA-covered entity you should work closely with your vendor or dealer to make sure your equipment has these critical security features:

• Access control, either device-based or network-based. This ensures that only the people who should be looking at PHI will have access to PHI in electronic or paper format.
• Automatic logoff, which ensures that every user is logged off soon after using the printer, minimizing accidental or intentional viewing of PHI.
• Authentication via login at the operation panel or with a smartcard, HID card or biometrics.
• Emergency access to data for situations where systems crash or PHI has been breached.
• Audit logging, so you can follow the trail of all PHI that has passed through the printer.
• Encryption to minimize PHI breaches.
• Integrity so that you can be certain that PHI and other information is complete, accurate, valid, etc.

In some cases, your office equipment may already have these features built in, so all you have to do is make sure they are all “turned on” and functioning properly. If your copier or printer does not provide these safeguards, it’s time to look for a new model. Medical offices in Canton, North Canton, Akron, Youngstown and beyond are welcome to contact us for help with office equipment security features.

As a Business Associate of many Covered Entities in Northeast Ohio – including hospitals, physician offices, clinics and more in Canton, North Canton, Akron, Youngstown and beyond – the team at Graphic Enterprises recognizes the importance of performing a HIPAA security risk analysis (in fact, the Security Rule requires it), as it pertains to our customers and equipment.

To get everyone in our organization on the same page, we’ve devised this introductory checklist. Of course, as we get a better grip on this whole process, this checklist will probably change somewhat. However, I hope by sharing it, we can help you get started with your own HIPAA risk analysis.

1. Start with the basics. Under HIPAA, providers are required to review and update all policies, procedures and protections surrounding PHI. If you do not have a policy, now would be a very good time to draft one and have it scrutinized by legal counsel.
2. The buck stops here. Designate someone in your organization to lead the risk assessment and, subsequently, the risk management process. This person should have a good understanding of both the technical (I am talking about systems) and the non-technical aspects of health care compliance.
3. Examine the flow of PHI in the real world. Things always look good on paper, right? But, what path(s) does patient information follow in your office or organization on a day-to-day basis? There are three key areas you should be scrutinizing for threats, vulnerabilities, risks and exposures: administrative procedures, physical safeguards, and technical standards and mechanisms. The U.S. Department of Health and Human Services (HHS) provides recommendations in its document, Guidance on Risk Analysis Requirements Under the HIPAA Security Rule. Just a bit of fun bedtime reading, right? (Hint: you will want to do a deep dive into the sections that talk about addressable controls.)
4. Create a spreadsheet. I love a good spreadsheet for keeping track of all the details of my business, and there are sure to be many, many details involved in this HIPAA risk analysis. You will need a good way to keep track of them.
5. Carefully scrutinize business associate contracts. At the end of the day, a Covered Entity is responsible for patients and their PHI. So, you want control over any PHI you may need to give a business associate, as well as legal recourse should the business associate allow a breach. Every business associate contract should contain an indemnification provision. Again, I recommend that you seek legal counsel on this issue.
6. Document everything. Need I say more? This will be especially important when you complete the assessment and begin the management part.
7. Keep things fresh. This is not a set-it-and-forget-process. You may have no way of knowing when you will be audited by the OCR. Therefore, you need to make sure you complete a risk analysis and management process at regular intervals, just in case.

Let me know how your HIPAA audit preparation is going. I welcome your comments and input. After all, we are all new at this.

Having a vinyl banner made professionally can be expensive, especially if you do not need it for a long period of time. A color banner that’s printed on a Konica Minolta looks truly impressive and is simple and cost-efficient to make. I have invited our trainer Mike Irwin to provide a step-by-step guide for you.

1. Purchase Pre-Cut Banner Paper First
The 11-in. x 40-in. banner is the most common size made with a Konica Minolta copier. The paper comes pre-cut and is available in a variety of weights. I usually recommend the heavier stock because it’s quite durable. Order here!

2. Create Your Banner in Microsoft Publisher or a Similar Program
The second thing you’ll need to do is create your banner in some type of desk top publishing program. Microsoft Publisher is common in an office setting and very easy to use. Create a custom size banner (11″ x 40″) from the blank page template and not from one of the templates as this is a different type of banner. After the banner looks exactly how you want it to look, save it.

Note: before you can print a banner, you’ll need to pre-program the 11-in. x 40-in. size and name it “banner” in your print driver. I will explain how to do this in a future blog post.

3. Put Your Konica Minolta into Banner Mode
On the Konica Minolta control panel, choose Utility/Counter. On the the touch screen select banner printing, select “allow” and then press OK. The copier is now in banner printing mode and cannot be used for anything else.

In fact, unlike other features, there is no automatic “time-out” with banner mode. The printer will stay in banner mode until you exit it. So, before you take this step, it’s a good idea to make sure no one else needs the copier for any other type of printing.

4. Send the Banner to the Printer
Click on print options/properties and choose the correct size paper (pre-programmed “banner”). Then, send your banner to the printer. You must do this before loading any type of paper into the bypass tray. The Konica Minolta must receive the entire file before it will be ready to print.

5. Load the Banner Paper into the Bypass Tray 
Once the printer gets the entire file, the touch screen will prompt you to load the end of the pre-cut banner paper into the bypass tray. You will need to hold the other end of the banner up. The “complete” button (lower right-hand corner of the control panel) will light up when the end of the banner paper is placed properly into the tray.

6. Press the Complete Button and Let the Copier Do Its Work
When the complete button lights up, press it. The printer will pull the paper in slowly; you can gradually let the other end go. The finished product will come on on the finisher tray or, if you don’t have one, on the middle tray. Support the banner as it comes out.

7. Exit Out of Banner Mode
Just click on the exit option. The copier will return to its normal function.

This banner-printing feature is perfect for schools, churches, print shops and more. And, in all the organizations throughout Canton, North Canton, Green, Akron and Youngstown where I’ve trained people to use it, they love it! The quality is phenomenal.

If you’d like to learn more about how to use your Konica Minolta printer, contact us.

If you are a small business owner – or manage a small office, say at a church, physician practice or manufacturing plant – you often can not afford an in-house IT staff or specialist, and you may think outsourcing business computer services is too costly for your budget. But what would happen to your productivity, deliveries, record-keeping and other vital information if you had no way to access it or repair a major problem?

If any of the following seven signs apply to your business, then I encourage you to think seriously about finding a good third-party IT services provider:

1. Your computers and your network are running more and more slowly. This is a big red flag, of course, and usually indicates that a crash is imminent. Continuing to put up with it means inefficiency at best and the potential for losing critical data at worst.
2. You call your nephew when things go wrong. Although your nephew may be a “genius” when it comes to writing website code, he may not have the experience or know-how to fix your particular systems and hardware.
3. You have no back-up strategy or disaster recovery plan. If your data is not protected in the event of a systems malfunction or (worst case scenario) a natural disaster of some kind, you stand to lose whatever you’re tracking with your computers. For most organizations, that’s everything!
4. You are not keeping up with IT updates or using the latest operating systems. If you keep ignoring system updates and upgrades, eventually that will catch up with you. Programs will no longer function or integrate with other, more advanced software and web-based technology.
5. You are not confident that your network is virus free. Do your computers do “funny things” or seem to have a lot of glitches? If yes, you could have a potentially dangerous virus in your system that can damage or destroy your data.
6. You’ve outgrown the capabilities of your current network. When your operation grows, the technology must grow with it. If not, you stand a good chance of disappointing customers or missing critical deadlines because your equipment and systems can not keep up.
7. Your network is unsecured. In a time when data and identity theft are common, you simply can not afford to leave potentially sensitive information unprotected.

If you recognize any of these signs at your business or organization, you are definitely at risk and need to work with a reputable, affordable computer service provider. The company you choose should be well-versed in taking care of assessments, disaster recovery plans, printers and copiers, virus and malware elimination, network and phone cabling, ISP consulting, preventive maintenance and more.

Do you own a small business or manage an office in Northeast Ohio, including Canton, North Canton, Massillon, Akron, Youngstown and beyond? If yes, Graphic Enterprises can help you with IT services. Contact us for more information.

I’m sure you’re already quite familiar with the term “business associate” and what types of vendors fall into this category (service providers, vendors and third parties that support covered entities). Graphic Enterprises is a dealer of Konica Minolta copiers, printers and document management systems for organizations in Northeast Ohio and Western Pennsylvania; as such, we come under scrutiny because ePHI often passes through our equipment and systems. And we’re just one type of business associate you need to consider. I’m sure you’ve got third-party health plan administrators, CPAs and attorneys, consultants, transcriptionists, pharmacy benefits managers and others in your sights.

So, in the midst of all this headache, what’s the upside for you? It may be a great opportunity for you to get the security upgrades and controls you’ve been requesting for years.

Before HITECH, all the privacy and security requirements between covered entities and business associates were handled via contractual agreements. Historically, the major problem with those agreements was that things were kind of “loosey goosey,” with few standards and criteria to aim for. Now, the responsibilities of a business associate are more defined, as are the liabilities:

• Security breach notification requirements
• Cure, terminate or snitch obligations
• PHI disclosure accounting

We recognize our obligations to provide detailed information about how our products, systems and services meet the requirements of the HIPAA Security Rule. As the one in charge of IT for a covered entity, you have a right and a duty to ask for it. And, in the process, we hope you are given the chance to make your internal health IT systems better than ever!

If you’re part of a HIPAA-covered entity, what kinds of safeguards and security controls are you requiring business associates to document? And, how can a business associate like Graphic Enterprises make audit compliance easier for you?

The North Canton Chamber loves the Biz Hub! This is our second unit and we keep it busy printing the monthly newsletter, statements, flyers and as-needed stationary. The superb quality of both color and black and white copies, ease of operation and reliability make it one of our favorite office machines.

Doug Lane, President
North Canton Area Chamber of Commerce

This year, the U.S. Department of Health & Human Services (HHS), via its Office for Civil Rights (OCR), launches the first HIPAA compliance audits ever conducted. (It only took them 16 years!) The OCR is planning audits of 150 HIPAA-covered entities in 2012, including hospitals, physician and dental offices, labs, nursing homes and pharmacies. Security compliance will be a major part of the audit, and, in today’s world, that rests heavily on IT folks.

I recently read an article that describes information security as the Achilles heel of PHI. Unsecured storage devices, portable devices and the concept of BYOD (bring your own device) make data loss via theft or computer failure a very real issue – and a headache for any health care IT department. Plus, under HITECH, liability for a PHI breach is extended to business associates (i.e. third-party vendors, suppliers, consultants, contractors, etc.). So, if you’re in IT, you have to think about systems security with any business associate you work with.

I know Graphic Enterprises will be considered a business associate by many of our health care customers in Ohio and Pennsylvania who use the copiers, printers and document management systems we provide. In many cases,  our equipment and software play a critical role in both HIPAA and HITECH issues and objectives.

If you’re reading this, chances are good that you’re not among the first 150 entities that are being audited this year. But, you can be sure you’ll eventually be under the microscope.

So, in this series of blog posts about HIPAA compliance audits, I want to help you get ready by discussing some of the IT security issues that face the health care industry and how you can minimize your risk – particularly with business associates and the use of copiers, printers, multi-function printers and document management systems.

Even though going paperless may be a goal your business is working toward, I’m betting you aren’t quite there yet. And, even if you do some type of electronic document management, perhaps your efforts are scattered across several different platforms.

I’ve invited Chip Reihl, our sales manager, to share a solution that can get you closer to a paperless workplace and help you better organize all incoming and outgoing documents.

With the capabilities of a copier, printer, fax machine, scanner and more, Konica Minolta’s line of Bizhub multi-function copiers can become the hub of your communication as it relates to paper and technology – in other words, a virtual onramp and offramp for your business. All your printed materials come off, and every hard copy that needs to be an electronic image can be added on in seconds.

In fact, the scanning technology works at the speed of the 78-page-per-minute document feeder, even if you’re only copying 20 pages per minute. Bizhub also offers electronic document routing (so you can skip printing stuff out) and seamlessly integrates with apps and architectures that, for example, can automatically turn scanned pages into Word documents or PDFs. The easy-to-use control panel ties everything together.

My customers often tell me how great the Bizhub prints look, too – like originals, in fact. That’s thanks to Konica Minolta’s advanced microtoning process.

For your IT department (or person), Bizhub comes complete with all the tools you need to connect it to your network, where printing volumes, supplies and service can all be automatically monitored. Some sophisticated features include biometric access and user authentication.

Bizhub really is a one-stop shop for document workflow. Perhaps it’s the document workflow solution you’ve been looking for. If your business is located in or near Canton, Akron, Youngstown or even to the west of Pittsburgh, contact us for more information about Bizhub.