HIPAA Records Management

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free

HIPAA Records Management

by James G. Barr

Docid: 00011307

Publication Date: 1808

Report Type: TUTORIAL


Perhaps the most prominent of US
privacy regulations, HIPAA, or the Health Insurance Portability and
Accountability Act of 1996, requires that health plans, health care
providers, health care clearinghouses, and other "covered entities"
ensure the confidentiality, integrity, and availability of all
electronic Protected Health Information (ePHI) created, received,
maintained, or transmitted. Records management – and, in particular,
electronic records
management – is a key component of the legislation.

Report Contents:

Executive Summary

[return to top of this report]

Perhaps the most prominent of US privacy
regulations, HIPAA, or the Health Insurance Portability and Accountability Act
of 1996, requires that health plans, health care providers, health care
clearinghouses, and other "covered entities" ensure the confidentiality,
integrity, and availability of all electronic Protected Health Information (ePHI)
created, received, maintained, or transmitted.

Faulkner Reports
HIPAA Compliance Software Tutorial
Ensuring Privacy and Security for Medical Information Systems Implementation

The goal of HIPAA is to facilitate the transition to electronic
record-keeping as a means of

  • Lowering the cost of health care

  • Improving patient care by rendering medical records more accessible.

The HIPAA Rules include:

  • The Privacy Rule, which protects the
    privacy of individually identifiable health information.

  • The Security Rule, which sets national
    standards for the security of electronic Protected Health Information (ePHI).

  • The Breach Notification Rule, which
    requires covered entities (CEs) and business associates (BAs) to notify
    affected individuals and federal authorities following a breach of unsecured
    Protected Health Information (PHI).1


Since penalties for HIPAA non-compliance are severe, many – if not most
– healthcare providers invest in an electronic records management system

An ERMS is generally considered a foundational element for establishing
a HIPAA-compliant healthcare IT infrastructure. By
centralizing information into an ERMS, organizations can enact a
uniform approach to role-based security. Extensible retention
management programs can be leveraged to properly store, archive, and
destroy information, while audit trails can determine who performed what action, when, and on what piece of

ERMS strategies must accommodate both physical and electronic records
management. Although more patient information is becoming digital, some is still based on paper documents and film images. It is
expected that these hybrid record environments will persist for the
foreseeable future, and ERMSs must be able to support them. Those healthcare
organizations (HCOs) that implement an ERMS will be able to take advantage of a series of
significant benefits. Among the most prominent capabilities that an
ERMS provides are:

  • Cost reduction;
  • Improved patient care;
  • Greater physician satisfaction; and of course,
  • Regulatory and audit

factor that impacts the use of ERMSs is the 2009 Health Information Technology for Economic and
Clinical Health (HITECH) Act. The HITECH Act includes incentives for physicians’ adoption
“meaningful use” of electronic health records (EHR) under Medicare and Medicaid.


[return to top of this report]

A not-for-profit professional association dedicated to the topic of
managing records and information, ARMA (formerly the Association of Records
Managers and Administrators) defines records management as
“the systematic control of records throughout their life cycle” and
further defines records as “the evidence of what an organization does”
by capturing its business activities and transactions.

ISO 15489-1:20012: "A record is information created, received, and
maintained as evidence and information by an organization or person, in
pursuance of legal obligations or in the transaction of business." Note
that the idea of a record is tied to legal obligations and the
transaction of business. Table 1 depicts the four
characteristics of a record.

Table 1. Four Characteristics of a Record




record must be what it purports to be.


record must be complete and unaltered.


record must be a full and accurate representation of the transactions,
activities, or facts to which it attests.


record must be able to be located, retrieved, presented, and interpreted.

are the basis for establishing HIPAA-compliant systems. Although a
HIPAA-compliant ERMS is necessary, healthcare providers should be aware
that a significant organizational effort is also required to define,
publish, and enforce related policies and procedures. A HIPAA-compliant
ERMS uses computer equipment and software to manage digitized and
non-digitized records according to accepted principles and practices of
records management.

seeks to establish standardized mechanisms for electronic data
interchange (EDI), security, and the confidentiality of all
healthcare-related data. The Act mandates standardized formats for all
patient health, administrative, and financial data; unique identifiers
(ID numbers) for each healthcare entity, including individuals,
employers, health plans, and healthcare providers; and security
mechanisms to ensure confidentiality and data integrity for any
information that identifies an individual. The push to ensure HIPAA
compliance at HCOs has made implementation of privacy and security
rules a critical task for hospitals and medical centers. These
regulations have prompted providers to ensure that they are equipped with
the most effective capabilities to protect the confidentiality,
integrity and availability of health information.

all healthcare organizations (HCOs) must comply with the Transaction
Rule and Privacy Rule implemented as part of HIPAA, which relates to
the standardization of healthcare-related information systems. One of
its key drivers is to provide the minimal and necessary level of
confidential patient data to the healthcare community and other
people/organizations requiring access to such information.

Typical HIPAA ERMS functions include:

  • Marking electronic documents or records as read-only.
  • Protecting stored medical records against unauthorized access, modification, or tampering.
  • Ensuring
    that identifying information of individuals is available only to those
    who legitimately need it for use in treatment, payment, or
    operations. This information includes names, addresses, dates,
    telephone or fax numbers, e-mail addresses, Social Security numbers,
    medical record or health plan numbers, and any other data that has the
    potential to identify an individual.
  • Categorizing and filing records according to an organizational taxonomy.
  • Assigning,
    freezing, or unfreezing archival and/or disposal/destruction rules.
    HIPAA requires that medical records must be retained for a set amount
    of time, typically six years.
  • Executing disposal processing.
  • Maintaining
    organizational/historical metadata that maintains the business context
    of the record in the case of organizational change.
  • Maintaining a history or audit trail of each record.

of maintaining a healthcare ERMS fall into categories of compliance and
cost reduction, as well as other benefits. Legal, regulatory, and audit
compliance benefits include:

  • Meeting HIPAA requirements.
  • Reduced legal risks, resulting from reduced medical errors and better accounting.
  • Faster, more accurate response to and tracking of requests for release of information.
  • Improved compliance with government initiatives, including public health surveillance and reporting.
  • Fewer resources required.
  • Faster performance of audits.
  • Identification of actual and potential segregation of duties to avoid conflicts.
  • Authenticity and reliability of records.
  • Roles-based record integrity and security.
  • Compliance with records retention/destruction rules.
  • Easing of record comparisons for investigative or analytic purposes.

Cost reduction benefits of a healthcare ERMS include:

  • Lower administrative overhead for filing, tracking, and retrieving paper.
  • Less need to maintain duplicate (paper and digital) ERM systems.
  • Decreased paper usage, resulting in lower physical storage costs.
  • Reduced duplication of medical tests, resulting in improved quality of patient care.
  • Decreased accounts receivables and Medicare denials due to more efficient billing cycles.
  • Lower
    discovery compliance costs for billing dispute resolution,
    claims/authorization adjudication, regulatory compliance, and audit

Other benefits of a healthcare ERMS include:

  • Easy, secure roles-based access for any legitimate user to any required data at any time from anywhere.
  • Record retrieval based on keywords, categories, or contents.
  • Rapid
    and easy record locating and retrieval for billing dispute resolution,
    claims authorization and adjudication, regulatory compliance, and audit
  • Easy record reclassification due to changes in taxonomies or regulations.
  • Simultaneous record access by multiple users.
  • Single query viewing of all records related to a patient’s medical history, treatment, and billing.
  • Quick,
    accurate record retrieval, resulting in improved treatment, reduced
    patient length of stay, and higher physician satisfaction.
  • Reduction in searches for relevant paper documents, resulting in greater staff efficiency across departments.

Current View

[return to top of this report]

organizations have worked to meet HIPAA standards, ERMSs have become a
solid foundation for establishing a HIPAA-compliant environment. HCOs,
including hospitals, doctors’ offices, insurance companies, health
maintenance organizations (HMOs), preferred provider organizations
(PPOs), medical labs, and others, can be for-profit, non-profit, or
not-for-profit, but they all have a common denominator; they all carry
confidential patient information that must be protected. Compliance
must be established and maintained within each organization and
HIPAA-compliant confidentiality must be maintained when information is
shared between organizations.

have traditionally distributed confidential information across a
collection of different mediums. Patient medical records such as
waivers, charts, audio files, photographs, notes, and other
confidential information types can be stored on network drives,
devices, local hard drives, picture archiving and communication systems
(PACS) such as X-ray equipment and, of course, within physical paper
documents. While central files existed, the lack of secure control, along
with inappropriate information access, ultimately served as
catalysts for the HIPAA initiative.

ERMSs accommodate almost every information type. PACS and ERMS content
is normally accessed in a consolidated, or “joined,” fashion through a
centralized medical record system (MRS). Those MRSs are normally the
transactional backbone behind a HCO, dealing with the patient’s billing
information, which is typically more structured than other data. In some cases, the
medical record systems may embed documents directly into the database. A well-mapped security infrastructure must
exist between the MRS, ERMS, and PACS platforms. In the absence of any
common security model or synchronization, users must deal with a
multitude of login IDs, which can lead to a lot of complexity and a
possible gap in HIPAA compliance.

all of those systems, HIPAA mandates that access to confidential
information be role-based. Only individuals who serve in designated
capacities or roles can see the patient’s confidential information.
Additionally, detailed audit trails must be maintained regarding how
information is accessed and by whom. Finally, information maintained in
the ERMS must be systematically destroyed in accordance with all state
and/or federal retention requirements.

all of those reasons, ERMS technology serves as an important vehicle for
HIPAA compliance within an HCO. Centralizing information into the ERMS
means that a uniform approach to role-based security can be used;
extensible retention management programs can be leveraged to properly
store, archive and destroy information; and audit trails can be fully
employed to determine who has performed what action, when, and on what
piece of information.

ERMS technology is central as a means to ensure HIPAA compliance, it
is also important to note that HCOs achieve immediate, tangible
benefits by being able to find and retrieve information more quickly.
HIPAA specifically mandates retrieval times of no more than 30 days for
on-site records, and 60 days for off-site records. ERMS metadata can
also help in the patient coding standards implemented by HIPAA. Most
medical facilities have internal codes that are used for treatment and
billing purposes, and HIPAA standardizes these codes as well. ERMS
metadata allows the codes to be used and searched on as part of the
storage and retrieval process, which can form the basis of a
cost-justification an HCO ERMS investment.

While HIPAA has been implemented gradually, many healthcare providers still have
difficulty with compliance. Although there are many reasons why compliance is difficult to achieve and maintain, the most common is a lack of resources.

HIPAA-Compliant Records Management System

According to eFileCabinet, a HIPAA-compliant records (or document) management system
will feature the following:

  • "A Secure Database – Encryption of the documents … is a necessity.
  • "Backup of the database
    protects documents from loss in the case of system and server failure.
  • "Client Portal
    – Much safer
    than email, a client portal allows for secure sharing of documents with patients and
    insurance companies.
  • "Automated Retention is a
    must for compliance. HIPPA
    requires that active employee records be maintained the duration of the
    employees employment and for seven years after an employee’s termination.
  • "Role Based Security – Employee records should only be accessible by HR personnel. In addition,
    accounting and payroll functions records should not be accessed by general
  • "Audit Trails allow for
    tracking of every action taken … and should only be
    available to top level administrators."


[return to top of this report]

Any effective healthcare ERM strategy must include best
practices for managing both physical and digitized data. To accommodate
the ever-growing volume of information and to integrate it with
evolving digital data management solutions, an optimal ERM solution
will have to address several key requirements. The critical needs of a
healthcare ERMS are:

  • A strong indexing approach.
  • Extensive
    metadata that provides detailed descriptions of the health records
    contents so that users can quickly and easily determine what is
    contained in the records without having to access the information
  • Role-based
    metadata, record, and field-level security. Doctors, for example, need
    access to much more detailed information than do accounting or
    administrative users.
  • Extensive status tracking of records and record components for accurate audit trails or accounting of disclosures, including:
    • When and by whom they were checked out.
    • Who revised them, when, and in what fashion.
    • Their current location at any time.
    • “Intelligent” archiving, retention, and destruction rules.
    • Scalability,
      with the ability to handle both new information types and increased
      volume due to mergers or cooperative alliances with other healthcare

evolution of healthcare records management and the emergence of fully
electronic health records will continue to force changes in healthcare
workflows and professional roles. Healthcare information managers need
to plan proactively for the design and implementation of these systems.

requirements for providing a true information interchange that
accommodates all the necessary security parameters defined under HIPAA
are convoluted and complex. Issues such as consistent
password length and expiration, as well as staff role changes, are
incredibly challenging across HCOs. Additionally, no process for
ensuring the simultaneous archiving and destroying of duplicate records
stored in two systems currently exists. At this time, HCOs are only
concerned about the process as it relates to information stored within
their own systems, even if it was obtained from, or sent to, another
HCO. The process for archiving or destroying the matching data in the
system-of-origin is seen as “not their problem."

Web services are currently being developed, standardized, and
shared for the exchange of information across healthcare ERM systems.
Although such technology may help to facilitate the automated exchange of
information between HCOs and the synchronous archiving and destroying
of the same records within multiple environments, a significant effort
will still be required to ensure that security and metadata mapping
maintain the proper level of integrity.

Covered Entities and Business Associates

The HIPAA rules apply to covered entities and business associates.

Covered Entities include

  • Health Care Providers, such as Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes,
    and Pharmacies, but only if they transmit any
    information in an electronic form in connection with a transaction for
    which HHS has adopted a standard
  • Health Plans, such as Health Insurance Companies, HMOs, Company
    Health Plans, and Government Programs that pay for health care, for example,
    Medicare, Medicaid, and the military and
    veterans health care programs.
  • Health Care Clearinghouses, or entities that process
    nonstandard health information they receive from another entity into a
    standard (i.e., standard electronic format or data content), or vice

Business Associates are companies or organizations that operate on
behalf of covered entities.

While observing that "some of the largest [reported HIPAA] breaches
have involved [HCO] business associates," on January 17,
2013, HHS announced a final omnibus rule that extends many of the HIPAA
privacy and security requirements to organizations (HCO contractors and
subcontractors) that receive protected health information. Plugging what many consider a significant regulatory loophole, HCO
business associates must now amend their records management processes to
accommodate a more rigorous HIPAA compliance regime.

Under the new Privacy Rule, "covered entities
that engage business associates to work on their behalf must have contracts or
other arrangements in place with their business associates to ensure that the
business associates safeguard protected health information, and use and disclose
the information only as permitted or required by the Privacy Rule."

Similarly, according to the new Security Rule,
"covered entities must have contracts or other arrangements in place with their
business associates that provide satisfactory assurances that the business
associates will appropriately safeguard the electronic protected health
information they create, receive, maintain, or transmit on behalf of the covered

HIPAA Rules Are Enforced

Healthcare organizations should proceed in the certain knowledge that HIPAA
compliance is monitored and enforced.

In June 2018, a Department of Health and Human Services (HHS) Administrative Law Judge (ALJ)
ruled that The University of Texas MD Anderson Cancer Center (MD Anderson)
violated HIPAA Privacy and Security Rules, requiring MD Anderson to pay $4,348,000 in civil
money penalties to the Office for Civil Rights (OCR).

OCR investigated MD Anderson following three separate data breach reports in
2012 and 2013 involving the theft of an unencrypted laptop from the residence of
an MD Anderson employee and the loss of two USB drives containing the unencrypted electronic
protected health information (ePHI) of more than 33,500 individuals. OCR’s
investigation found that MD Anderson had written encryption policies going as
far back as 2006 and that MD Anderson’s own risk analyses had found that the
lack of device-level encryption posed a high risk to the security of ePHI.
Despite the encryption policies and high risk findings, MD Anderson did not
begin to adopt an enterprise-wide solution to implement encryption of ePHI until
2011, and even then it failed to encrypt its inventory of electronic devices
containing ePHI between March 24, 2011 and January 25, 2013.

General Data Protection Regulation

The EU GDPR may soon rival HIPAA as a leading healthcare data protection

As of May 25, 2018, any organization responsible for collecting, processing,
or storing data – including medical data – belonging to the citizens of the
European Union must comply with the EU General Data Protection Regulation (GDPR).
To facilitate this process, the HIPAA Journal has assembled a list of HIPAA-relevant
GDPR requirements. These include:

  • "Has your organization compiled a list of the personal data it holds,
    the sources of that data, who you share the data with, what you do with it,
    and how long you will keep the data for?
  • "Has your organization compiled a list of where personal data is kept
    and how data flows between these places?
  • "Has your organization conducted a risk assessment of its security
    mechanisms, ensured any weaknesses or vulnerabilities are addressed and
    trained employees to be aware of data protection?
  • "If your organization operates outside the EU, have you appointed a
    representative within the EU who will be responsible for reporting data
  • "Has your organization put a contract in place with data processors
    and sub-processors to ensure you are informed of any data breaches?
  • "Has your organization put mechanisms in place to allow individuals to
    request access to their personal information, to update or correct it as
    necessary, to request their data is erased or transferred to another data
  • "Does your organization always ask for specific consent before
    processing an individual’s information, give them the opportunity to object
    to personal profiling or automated decision making that could impact them,
    and give them the right to easily withdraw their consent?"3


[return to top of this report]

"Medical records
are worth more to hackers than credit cards. With stolen medical records and
personal identifiers, hackers can create false IDs to get free medical treatment
or acquire drugs that can be resold on the black market. Combined with a false
provider number, insurance companies can be billed for treatment that has never
taken place or for medical equipment that has never been delivered."

HIPAA Journal4

requirements make the decision to purchase an appropriate ERMS
appear to be mandatory. Nevertheless, healthcare organizations should perform a
cost-benefit analysis based on what specific features are required, what
needs must be addressed, and what benefits can be achieved. HIPAA-compliant
features – such as records retention for a minimum of six years,
extensive status tracking of records and record components for accurate
audit trails or Accounting of Disclosures, and stringent roles-based
security – are critical. Additionally, some or all of the following may
also be relevant as selection criteria:

  • The capture of all electronic records, including e-mail, social media
    message, instant messages, documents, databases, and images
  • If the purchasing organization is unable to abandon or scan all paper
    records, the system must be able to manage the resulting mixed record
    base by tracking the status and/or location of paper records and storing
    electronic ones
  • Direct capture of information from other
    applications, such as Web sites
  • Full compliance with all
    relevant data protection, regulatory, legal, data retention, and audit
  • Ease of use
  • Troubleshooting,
    customizing, and training support
  • References
  • Scalability
  • Price, including initial costs, ongoing
    maintenance fees, training, and other factors
  • Long time
    viability of the vendor

Many methods for
combining compliance efforts exist, ranging from a complete
reorganization of privacy and security roles to reinvigorating and
realigning HIPAA committees or task forces. Because
non-compliance is often due to a lack of resources, Faulkner strongly
recommends that resource requirements be reduced by combining HIPAA
privacy and security roles and responsibilities.

Faulkner also recommends reducing healthcare information security risks by
utilizing a new security risk assessment (SRA) tool which is available from
Health and Human Services. Designed for small to medium sized offices, the SRA tool is the result of a
collaborative effort by the HHS Office of the National
Coordinator for Health Information Technology (ONC) and Office
for Civil Rights (OCR). The tool is designed to help practices
conduct and document a risk assessment in a thorough, organized
fashion at their own pace by allowing them to assess the
information security risks in their organizations under the
Health Insurance Portability and Accountability Act (HIPAA)
Security Rule. The application also produces a
report that can be provided to auditors.

The tool is available for both
Windows operating systems and iOS iPads. Healthcare
providers and other interested parties can download the Windows
version at
. The iOS
iPad version is available from the Apple App Store (search under
"HHS SRA tool").5

Follow the HHS Lead

Finally, the path to achieving effective HIPAA records management is,
perhaps, best informed by the US Department of Health and Human Services
(HHS) "Policy for Records Management," adopted November 25, 2015. "The purpose of this policy is to establish
the principles, responsibilities, and requirements for managing HHS records. This policy provides the framework for records management program guidance and
operating procedures." Key provisions include:

Identification of Records
Records in all media must be properly identified.

Adequate and Proper Documentation
Operational Divisions must establish formal files with
documented classification schemes or electronic recordkeeping systems with full
records management functionality.

Electronic Records – Unstructured electronic records to include
records created using applications, electronic mail, and other messaging
applications, word processing, or presentation software must be managed in a
records management solution. E-mail records must be retained in an appropriate
electronic system that supports records management and litigation requirements
(which may include preservation in-place models), including the capability to
identify, retrieve, and retain the records for as long as they are needed.

Organization and Maintenance of Records – Records shall be maintained so that they are
easily retrievable. If an electronic content
management system with recordkeeping functionality is not available, the record
must be printed and filed in a paper recordkeeping system.

File Plans – Operational Divisions and Staff Divisions
must maintain a centralized file plan that includes the title and description of
its records, including electronic media. Operational Divisions and Staff Divisions must standardize file
arrangement systems, filing procedures, and filing techniques of records. File
plans must be designed to enhance the current use of the files, the preservation
of archival records, and the prompt and systematic disposition of permanent and
temporary records according to the appropriate records schedule.6


[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity
analyst and business writer with more than 30 years’ IT experience. A member of "Who’s Who in Finance and Industry," Mr. Barr
has designed, developed, and deployed business continuity plans for a
number of Fortune 500 firms. He is the author of several books,
including How to Succeed in Business BY Really Trying, a member
of Faulkner’s Advisory Panel, and a senior editor for Faulkner’s
Security Management Practices
. Mr. Barr can be reached via
e-mail at jgbarr@faulkner.com.

[return to top of this report]