Gearing Up for HIPAA Compliance Audits in IT, Part 6: Document Management
A good electronic document management system is an essential part or complement to an electronic health record (EHR), as well as a copier or printer. Let us be honest – as much as you might want to deal only with e-documents, you will need to handle paper for the foreseeable future. So, if you are facing a HIPAA audit, it is essential to make sure that paper records are handled with as much care as digital ones. In my continuing series on preparing for these new HIPAA audits, I have invited Dennis Porter, our document management expert, to cover issues related to document management, EHRs and PHI (protected health information).
If I put myself in the auditor’s shoes, there are several things I would look at closely when it comes to document management processes and PHI security in health care.
- Access to PHI. Best practice is to lock down employee access based on network ID – which is the same security as a domain login. So, when a person logs into the EHR or document management software, they are only granted access to very specific pieces of data. Make sure whatever system you are using allows you to restrict access at the category, folder and even document levels.
- Audit Trail. The best document management systems and EHRs will provide documentation of all actions associated with documents, categories and folders in real time. This audit log will let you see who looked at a document, who changed it, who printed it, who emailed it, etc. And, if someone intentionally or accidentally deletes a document, the system administrator can recover it easily.
- Server Management Component. This is the system’s security roadmap, and you should look at it carefully to ensure login permissions are right for who is allowed to view, modify, email and print PHI and other documents. If someone doesn’t have access to a particular folder, then that person should not even be able to see that folder when logged into the document management system.
- Second Level of Security Passwords. Many good document management systems will offer another level of password protection above the network login. In most business environments, this isn’t necessary. But, if a HIPAA audit is imminent, it’s good if you have this avenue to explore.
- Internal Policies. These medical document management and EHR security safeguards are only as good as your network administrator and his or her network security. And, they are only as good as your internal policies and how seriously employees take them. For example, if people don’t think about logging in or out before sharing a work station, then you have a bigger problem that no e-security measure is going to fix.
Let me mention that not all document management software is created equally. Some developers – even potentially those who design EHRs – add this facet as an afterthought, a clunky add-on to their software.
You may be tempted to purchase the document management system because, on the surface, it goes along with systems you already have. Before you do that, I encourage you to try it out. If it’s not user friendly, look instead for a good universal document management system that can work with your current program. This can save you lots of headaches down the road, especially if an auditor is knocking at your door.
If you’re a medical provider in the Canton, North Canton, Akron or Youngstown area and need advice on good electronic document management practices, contact us.