HIPAA Compliance: Protect Confidential Records with Document Management Software

According to The U.S Department of Health & Human Services (HHS), to improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.

At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

If you deal with patient or client health records, you are well acquainted with HIPAA, a regulation act that guides virtually every aspect of information handling. 

The list is divided into three primary sections: Access Control, Physical Safeguards, and Administrative Safeguards.

Access Control

The term “access control” refers to software features that help prevent unauthorized access to information. According to HIPAA, all DMS solutions must have the following security measures in place in order to be considered compliant with their regulations:

Unique User Identification: Software must require verification of a user’s identity before allowing access to documents and information. This can be as simple as a password or PIN, or as high-tech as facial or voice recognition or fingerprint scanning.

Automatic Logoff: Your chosen DMS should automatically log users out after a set amount of inactivity. This prevents unauthorized access to information in case a user forgets to log out of the system.

Encryption and Decryption: Data being shared across a network of any kind—public or private—must be encrypted both in transit and at rest. Though HIPAA does not specify an exact level of encryption required, you should look for a system with at least 256-bit encryption. This gives you the highest level of security possible for your data.

Physical Safeguards

Companies must have certain physical barriers in place that prevent theft or loss of information, both from intentional attacks and unforeseen natural disasters. The need for physical safeguards applies not only to your place of business, but to the database server that your document management software uses, so you should ensure that the company hosting your data meets the following requirements:

Data Backup and Storage: Your DMS should automatically back up all of your information to a remote location, or a Cloud system. If the facility is damaged or lost to fire or a natural disaster, your data will still be preserved.

Facility Security Plan: The server your DMS uses should take certain measures in place to protect their data storage devices. These measures should include the following:

  • Redundant power servers

  • Video surveillance

  • Limited access to servers

  • Fire suppressant

  • Disaster recovery plans

These are just a few of the systems the server host should have in place in order to ensure that your data is physically protected as well as electronically secure.

Administrative Safeguards

These requirements refer to the security measures used to regulate and monitor access to your documents and information. They add restrictions for access to more sensitive documents and help to ensure there are no unauthorized changes. Here are the requirements that software needs to meet in order to be HIPAA compliant in this category:

Login Monitoring: You should be able to monitor which users are accessing which documents, as well as check who made what changes to the information included. This means your DMS should include features like audit trails and file versioning.

Access Authorization: HIPAA-compliant software should allow you to give different users different levels of access to document and information. For example, the data entry employees in the billing department shouldn’t have access to the same information that an individual’s physician has, and a business’s secretary should have more limited access than the HR manager. Access and use should be limited to the “minimum necessary”—the absolute minimum amount of access needed for an employee to complete their duties, and nothing more.

Information Courtesy of:  hhs.gov  


Article Type: