PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.
HIPAA Records Management
Copyright 2018, Faulkner Information Services. All Rights Reserved.
Docid: 00011307
Publication Date: 1808
Report Type: TUTORIAL
Preview
Perhaps the most prominent of US
privacy regulations, HIPAA, or the Health Insurance Portability and
Accountability Act of 1996, requires that health plans, health care
providers, health care clearinghouses, and other "covered entities"
ensure the confidentiality, integrity, and availability of all
electronic Protected Health Information (ePHI) created, received,
maintained, or transmitted. Records management – and, in particular,
electronic records
management – is a key component of the legislation.
Report Contents:
Executive Summary
[return to top of this report]
Perhaps the most prominent of US privacy
regulations, HIPAA, or the Health Insurance Portability and Accountability Act
of 1996, requires that health plans, health care providers, health care
clearinghouses, and other "covered entities" ensure the confidentiality,
integrity, and availability of all electronic Protected Health Information (ePHI)
created, received, maintained, or transmitted.
Related Faulkner Reports |
HIPAA Compliance Software Tutorial |
Ensuring Privacy and Security for Medical Information Systems Implementation |
The goal of HIPAA is to facilitate the transition to electronic
record-keeping as a means of
-
Lowering the cost of health care
administration. - Improving patient care by rendering medical records more accessible.
The HIPAA Rules include:
-
The Privacy Rule, which protects the
privacy of individually identifiable health information. -
The Security Rule, which sets national
standards for the security of electronic Protected Health Information (ePHI). -
The Breach Notification Rule, which
requires covered entities (CEs) and business associates (BAs) to notify
affected individuals and federal authorities following a breach of unsecured
Protected Health Information (PHI).1
HIPAA & ERMS
Since penalties for HIPAA non-compliance are severe, many – if not most
– healthcare providers invest in an electronic records management system
(ERMS).
An ERMS is generally considered a foundational element for establishing
a HIPAA-compliant healthcare IT infrastructure. By
centralizing information into an ERMS, organizations can enact a
uniform approach to role-based security. Extensible retention
management programs can be leveraged to properly store, archive, and
destroy information, while audit trails can determine who performed what action, when, and on what piece of
information.
Realistically,
ERMS strategies must accommodate both physical and electronic records
management. Although more patient information is becoming digital, some is still based on paper documents and film images. It is
expected that these hybrid record environments will persist for the
foreseeable future, and ERMSs must be able to support them. Those healthcare
organizations (HCOs) that implement an ERMS will be able to take advantage of a series of
significant benefits. Among the most prominent capabilities that an
ERMS provides are:
- Cost reduction;
- Improved patient care;
- Greater physician satisfaction; and of course,
- Regulatory and audit
compliance.
Another
factor that impacts the use of ERMSs is the 2009 Health Information Technology for Economic and
Clinical Health (HITECH) Act. The HITECH Act includes incentives for physicians’ adoption
and
“meaningful use” of electronic health records (EHR) under Medicare and Medicaid.
Description
[return to top of this report]
A not-for-profit professional association dedicated to the topic of
managing records and information, ARMA (formerly the Association of Records
Managers and Administrators) defines records management as
“the systematic control of records throughout their life cycle” and
further defines records as “the evidence of what an organization does”
by capturing its business activities and transactions.
Per
ISO 15489-1:20012: "A record is information created, received, and
maintained as evidence and information by an organization or person, in
pursuance of legal obligations or in the transaction of business." Note
that the idea of a record is tied to legal obligations and the
transaction of business. Table 1 depicts the four
characteristics of a record.
Characteristic |
Definition |
---|---|
Authenticity |
A |
Integrity |
A |
Reliability |
A |
Usability |
A |
ERMSs
are the basis for establishing HIPAA-compliant systems. Although a
HIPAA-compliant ERMS is necessary, healthcare providers should be aware
that a significant organizational effort is also required to define,
publish, and enforce related policies and procedures. A HIPAA-compliant
ERMS uses computer equipment and software to manage digitized and
non-digitized records according to accepted principles and practices of
records management.
HIPAA
seeks to establish standardized mechanisms for electronic data
interchange (EDI), security, and the confidentiality of all
healthcare-related data. The Act mandates standardized formats for all
patient health, administrative, and financial data; unique identifiers
(ID numbers) for each healthcare entity, including individuals,
employers, health plans, and healthcare providers; and security
mechanisms to ensure confidentiality and data integrity for any
information that identifies an individual. The push to ensure HIPAA
compliance at HCOs has made implementation of privacy and security
rules a critical task for hospitals and medical centers. These
regulations have prompted providers to ensure that they are equipped with
the most effective capabilities to protect the confidentiality,
integrity and availability of health information.
Additionally,
all healthcare organizations (HCOs) must comply with the Transaction
Rule and Privacy Rule implemented as part of HIPAA, which relates to
the standardization of healthcare-related information systems. One of
its key drivers is to provide the minimal and necessary level of
confidential patient data to the healthcare community and other
people/organizations requiring access to such information.
Typical HIPAA ERMS functions include:
- Marking electronic documents or records as read-only.
- Protecting stored medical records against unauthorized access, modification, or tampering.
- Ensuring
that identifying information of individuals is available only to those
who legitimately need it for use in treatment, payment, or
operations. This information includes names, addresses, dates,
telephone or fax numbers, e-mail addresses, Social Security numbers,
medical record or health plan numbers, and any other data that has the
potential to identify an individual. - Categorizing and filing records according to an organizational taxonomy.
- Assigning,
freezing, or unfreezing archival and/or disposal/destruction rules.
HIPAA requires that medical records must be retained for a set amount
of time, typically six years. - Executing disposal processing.
- Maintaining
organizational/historical metadata that maintains the business context
of the record in the case of organizational change. - Maintaining a history or audit trail of each record.
Benefits
of maintaining a healthcare ERMS fall into categories of compliance and
cost reduction, as well as other benefits. Legal, regulatory, and audit
compliance benefits include:
- Meeting HIPAA requirements.
- Reduced legal risks, resulting from reduced medical errors and better accounting.
- Faster, more accurate response to and tracking of requests for release of information.
- Improved compliance with government initiatives, including public health surveillance and reporting.
- Fewer resources required.
- Faster performance of audits.
- Identification of actual and potential segregation of duties to avoid conflicts.
- Authenticity and reliability of records.
- Roles-based record integrity and security.
- Compliance with records retention/destruction rules.
- Easing of record comparisons for investigative or analytic purposes.
Cost reduction benefits of a healthcare ERMS include:
- Lower administrative overhead for filing, tracking, and retrieving paper.
- Less need to maintain duplicate (paper and digital) ERM systems.
- Decreased paper usage, resulting in lower physical storage costs.
- Reduced duplication of medical tests, resulting in improved quality of patient care.
- Decreased accounts receivables and Medicare denials due to more efficient billing cycles.
- Lower
discovery compliance costs for billing dispute resolution,
claims/authorization adjudication, regulatory compliance, and audit
requests.
Other benefits of a healthcare ERMS include:
- Easy, secure roles-based access for any legitimate user to any required data at any time from anywhere.
- Record retrieval based on keywords, categories, or contents.
- Rapid
and easy record locating and retrieval for billing dispute resolution,
claims authorization and adjudication, regulatory compliance, and audit
requests. - Easy record reclassification due to changes in taxonomies or regulations.
- Simultaneous record access by multiple users.
- Single query viewing of all records related to a patient’s medical history, treatment, and billing.
- Quick,
accurate record retrieval, resulting in improved treatment, reduced
patient length of stay, and higher physician satisfaction. - Reduction in searches for relevant paper documents, resulting in greater staff efficiency across departments.
Current View
[return to top of this report]
As
organizations have worked to meet HIPAA standards, ERMSs have become a
solid foundation for establishing a HIPAA-compliant environment. HCOs,
including hospitals, doctors’ offices, insurance companies, health
maintenance organizations (HMOs), preferred provider organizations
(PPOs), medical labs, and others, can be for-profit, non-profit, or
not-for-profit, but they all have a common denominator; they all carry
confidential patient information that must be protected. Compliance
must be established and maintained within each organization and
HIPAA-compliant confidentiality must be maintained when information is
shared between organizations.
HCOs
have traditionally distributed confidential information across a
collection of different mediums. Patient medical records such as
waivers, charts, audio files, photographs, notes, and other
confidential information types can be stored on network drives,
handheld
devices, local hard drives, picture archiving and communication systems
(PACS) such as X-ray equipment and, of course, within physical paper
documents. While central files existed, the lack of secure control, along
with inappropriate information access, ultimately served as
catalysts for the HIPAA initiative.
ERMSs accommodate almost every information type. PACS and ERMS content
is normally accessed in a consolidated, or “joined,” fashion through a
centralized medical record system (MRS). Those MRSs are normally the
transactional backbone behind a HCO, dealing with the patient’s billing
information, which is typically more structured than other data. In some cases, the
medical record systems may embed documents directly into the database. A well-mapped security infrastructure must
exist between the MRS, ERMS, and PACS platforms. In the absence of any
common security model or synchronization, users must deal with a
multitude of login IDs, which can lead to a lot of complexity and a
possible gap in HIPAA compliance.
In
all of those systems, HIPAA mandates that access to confidential
information be role-based. Only individuals who serve in designated
capacities or roles can see the patient’s confidential information.
Additionally, detailed audit trails must be maintained regarding how
information is accessed and by whom. Finally, information maintained in
the ERMS must be systematically destroyed in accordance with all state
and/or federal retention requirements.
For
all of those reasons, ERMS technology serves as an important vehicle for
HIPAA compliance within an HCO. Centralizing information into the ERMS
means that a uniform approach to role-based security can be used;
extensible retention management programs can be leveraged to properly
store, archive and destroy information; and audit trails can be fully
employed to determine who has performed what action, when, and on what
piece of information.
While
ERMS technology is central as a means to ensure HIPAA compliance, it
is also important to note that HCOs achieve immediate, tangible
benefits by being able to find and retrieve information more quickly.
HIPAA specifically mandates retrieval times of no more than 30 days for
on-site records, and 60 days for off-site records. ERMS metadata can
also help in the patient coding standards implemented by HIPAA. Most
medical facilities have internal codes that are used for treatment and
billing purposes, and HIPAA standardizes these codes as well. ERMS
metadata allows the codes to be used and searched on as part of the
storage and retrieval process, which can form the basis of a
cost-justification an HCO ERMS investment.
While HIPAA has been implemented gradually, many healthcare providers still have
difficulty with compliance. Although there are many reasons why compliance is difficult to achieve and maintain, the most common is a lack of resources.
HIPAA-Compliant Records Management System
According to eFileCabinet, a HIPAA-compliant records (or document) management system
will feature the following:
- "A Secure Database – Encryption of the documents … is a necessity.
- "Backup of the database
protects documents from loss in the case of system and server failure. - "Client Portal
– Much safer
than email, a client portal allows for secure sharing of documents with patients and
insurance companies. - "Automated Retention is a
must for compliance. HIPPA
requires that active employee records be maintained the duration of the
employees employment and for seven years after an employee’s termination. - "Role Based Security – Employee records should only be accessible by HR personnel. In addition,
accounting and payroll functions records should not be accessed by general
employees. - "Audit Trails allow for
tracking of every action taken … and should only be
available to top level administrators."
Outlook
[return to top of this report]
Any effective healthcare ERM strategy must include best
practices for managing both physical and digitized data. To accommodate
the ever-growing volume of information and to integrate it with
evolving digital data management solutions, an optimal ERM solution
will have to address several key requirements. The critical needs of a
healthcare ERMS are:
- A strong indexing approach.
- Extensive
metadata that provides detailed descriptions of the health records
contents so that users can quickly and easily determine what is
contained in the records without having to access the information
itself. - Role-based
metadata, record, and field-level security. Doctors, for example, need
access to much more detailed information than do accounting or
administrative users. - Extensive status tracking of records and record components for accurate audit trails or accounting of disclosures, including:
- When and by whom they were checked out.
- Who revised them, when, and in what fashion.
- Their current location at any time.
- “Intelligent” archiving, retention, and destruction rules.
- Scalability,
with the ability to handle both new information types and increased
volume due to mergers or cooperative alliances with other healthcare
organizations.
The
evolution of healthcare records management and the emergence of fully
electronic health records will continue to force changes in healthcare
workflows and professional roles. Healthcare information managers need
to plan proactively for the design and implementation of these systems.
The
requirements for providing a true information interchange that
accommodates all the necessary security parameters defined under HIPAA
are convoluted and complex. Issues such as consistent
password length and expiration, as well as staff role changes, are
incredibly challenging across HCOs. Additionally, no process for
ensuring the simultaneous archiving and destroying of duplicate records
stored in two systems currently exists. At this time, HCOs are only
concerned about the process as it relates to information stored within
their own systems, even if it was obtained from, or sent to, another
HCO. The process for archiving or destroying the matching data in the
system-of-origin is seen as “not their problem."
Web services are currently being developed, standardized, and
shared for the exchange of information across healthcare ERM systems.
Although such technology may help to facilitate the automated exchange of
information between HCOs and the synchronous archiving and destroying
of the same records within multiple environments, a significant effort
will still be required to ensure that security and metadata mapping
maintain the proper level of integrity.
Covered Entities and Business Associates
The HIPAA rules apply to covered entities and business associates.
Covered Entities include
- Health Care Providers, such as Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes,
and Pharmacies, but only if they transmit any
information in an electronic form in connection with a transaction for
which HHS has adopted a standard. - Health Plans, such as Health Insurance Companies, HMOs, Company
Health Plans, and Government Programs that pay for health care, for example,
Medicare, Medicaid, and the military and
veterans health care programs. - Health Care Clearinghouses, or entities that process
nonstandard health information they receive from another entity into a
standard (i.e., standard electronic format or data content), or vice
versa.
Business Associates are companies or organizations that operate on
behalf of covered entities.
While observing that "some of the largest [reported HIPAA] breaches
have involved [HCO] business associates," on January 17,
2013, HHS announced a final omnibus rule that extends many of the HIPAA
privacy and security requirements to organizations (HCO contractors and
subcontractors) that receive protected health information. Plugging what many consider a significant regulatory loophole, HCO
business associates must now amend their records management processes to
accommodate a more rigorous HIPAA compliance regime.
Under the new Privacy Rule, "covered entities
that engage business associates to work on their behalf must have contracts or
other arrangements in place with their business associates to ensure that the
business associates safeguard protected health information, and use and disclose
the information only as permitted or required by the Privacy Rule."
Similarly, according to the new Security Rule,
"covered entities must have contracts or other arrangements in place with their
business associates that provide satisfactory assurances that the business
associates will appropriately safeguard the electronic protected health
information they create, receive, maintain, or transmit on behalf of the covered
entities."
HIPAA Rules Are Enforced
Healthcare organizations should proceed in the certain knowledge that HIPAA
compliance is monitored and enforced.
In June 2018, a Department of Health and Human Services (HHS) Administrative Law Judge (ALJ)
ruled that The University of Texas MD Anderson Cancer Center (MD Anderson)
violated HIPAA Privacy and Security Rules, requiring MD Anderson to pay $4,348,000 in civil
money penalties to the Office for Civil Rights (OCR).
OCR investigated MD Anderson following three separate data breach reports in
2012 and 2013 involving the theft of an unencrypted laptop from the residence of
an MD Anderson employee and the loss of two USB drives containing the unencrypted electronic
protected health information (ePHI) of more than 33,500 individuals. OCR’s
investigation found that MD Anderson had written encryption policies going as
far back as 2006 and that MD Anderson’s own risk analyses had found that the
lack of device-level encryption posed a high risk to the security of ePHI.
Despite the encryption policies and high risk findings, MD Anderson did not
begin to adopt an enterprise-wide solution to implement encryption of ePHI until
2011, and even then it failed to encrypt its inventory of electronic devices
containing ePHI between March 24, 2011 and January 25, 2013.
General Data Protection Regulation
The EU GDPR may soon rival HIPAA as a leading healthcare data protection
mechanism.
As of May 25, 2018, any organization responsible for collecting, processing,
or storing data – including medical data – belonging to the citizens of the
European Union must comply with the EU General Data Protection Regulation (GDPR).
To facilitate this process, the HIPAA Journal has assembled a list of HIPAA-relevant
GDPR requirements. These include:
- "Has your organization compiled a list of the personal data it holds,
the sources of that data, who you share the data with, what you do with it,
and how long you will keep the data for? - "Has your organization compiled a list of where personal data is kept
and how data flows between these places? - "Has your organization conducted a risk assessment of its security
mechanisms, ensured any weaknesses or vulnerabilities are addressed and
trained employees to be aware of data protection? - "If your organization operates outside the EU, have you appointed a
representative within the EU who will be responsible for reporting data
breaches? - "Has your organization put a contract in place with data processors
and sub-processors to ensure you are informed of any data breaches? - "Has your organization put mechanisms in place to allow individuals to
request access to their personal information, to update or correct it as
necessary, to request their data is erased or transferred to another data
processor? - "Does your organization always ask for specific consent before
processing an individual’s information, give them the opportunity to object
to personal profiling or automated decision making that could impact them,
and give them the right to easily withdraw their consent?"3
Recommendations
[return to top of this report]
"Medical records
are worth more to hackers than credit cards. With stolen medical records and
personal identifiers, hackers can create false IDs to get free medical treatment
or acquire drugs that can be resold on the black market. Combined with a false
provider number, insurance companies can be billed for treatment that has never
taken place or for medical equipment that has never been delivered."
–
HIPAA Journal4
HIPAA
requirements make the decision to purchase an appropriate ERMS
appear to be mandatory. Nevertheless, healthcare organizations should perform a
cost-benefit analysis based on what specific features are required, what
needs must be addressed, and what benefits can be achieved. HIPAA-compliant
features – such as records retention for a minimum of six years,
extensive status tracking of records and record components for accurate
audit trails or Accounting of Disclosures, and stringent roles-based
security – are critical. Additionally, some or all of the following may
also be relevant as selection criteria:
- The capture of all electronic records, including e-mail, social media
message, instant messages, documents, databases, and images -
If the purchasing organization is unable to abandon or scan all paper
records, the system must be able to manage the resulting mixed record
base by tracking the status and/or location of paper records and storing
electronic ones - Direct capture of information from other
applications, such as Web sites - Full compliance with all
relevant data protection, regulatory, legal, data retention, and audit
regulations - Ease of use
- Troubleshooting,
customizing, and training support - References
- Scalability
- Price, including initial costs, ongoing
maintenance fees, training, and other factors - Long time
viability of the vendor
Many methods for
combining compliance efforts exist, ranging from a complete
reorganization of privacy and security roles to reinvigorating and
realigning HIPAA committees or task forces. Because
non-compliance is often due to a lack of resources, Faulkner strongly
recommends that resource requirements be reduced by combining HIPAA
privacy and security roles and responsibilities.
Faulkner also recommends reducing healthcare information security risks by
utilizing a new security risk assessment (SRA) tool which is available from
Health and Human Services. Designed for small to medium sized offices, the SRA tool is the result of a
collaborative effort by the HHS Office of the National
Coordinator for Health Information Technology (ONC) and Office
for Civil Rights (OCR). The tool is designed to help practices
conduct and document a risk assessment in a thorough, organized
fashion at their own pace by allowing them to assess the
information security risks in their organizations under the
Health Insurance Portability and Accountability Act (HIPAA)
Security Rule. The application also produces a
report that can be provided to auditors.
The tool is available for both
Windows operating systems and iOS iPads. Healthcare
providers and other interested parties can download the Windows
version at
http://www.HealthIT.gov/security-risk-assessment. The iOS
iPad version is available from the Apple App Store (search under
"HHS SRA tool").5
Follow the HHS Lead
Finally, the path to achieving effective HIPAA records management is,
perhaps, best informed by the US Department of Health and Human Services
(HHS) "Policy for Records Management," adopted November 25, 2015. "The purpose of this policy is to establish
the principles, responsibilities, and requirements for managing HHS records. This policy provides the framework for records management program guidance and
operating procedures." Key provisions include:
Identification of Records –
Records in all media must be properly identified.
Adequate and Proper Documentation –
Operational Divisions must establish formal files with
documented classification schemes or electronic recordkeeping systems with full
records management functionality.
Electronic Records – Unstructured electronic records to include
records created using applications, electronic mail, and other messaging
applications, word processing, or presentation software must be managed in a
records management solution. E-mail records must be retained in an appropriate
electronic system that supports records management and litigation requirements
(which may include preservation in-place models), including the capability to
identify, retrieve, and retain the records for as long as they are needed.
Organization and Maintenance of Records – Records shall be maintained so that they are
easily retrievable. If an electronic content
management system with recordkeeping functionality is not available, the record
must be printed and filed in a paper recordkeeping system.
File Plans – Operational Divisions and Staff Divisions
must maintain a centralized file plan that includes the title and description of
its records, including electronic media. Operational Divisions and Staff Divisions must standardize file
arrangement systems, filing procedures, and filing techniques of records. File
plans must be designed to enhance the current use of the files, the preservation
of archival records, and the prompt and systematic disposition of permanent and
temporary records according to the appropriate records schedule.6
References
- 1
"Guide to Privacy and Security of Electronic Health
Information" version 2.0. The Office of the National Coordinator for Health
Information Technology, US Department of Health and Human Services. April
2015:57. - 2 ISO 15489-1:2001 was revised. The new standard is
ISO 15489-1:2016. - 3 "’To-do List’ for GDPR Compliance." HIPAA Journal. January 10,
2018. - 4 Andrew Kelleher (contributor) and Steve Alder (editor). "HIPAA Compliance
Guide." HIPAA Journal. 2017:19. - 5 "HHS Releases Security Risk
Assessment Tool to Help Providers with HIPAA Compliance." US
Department of Health and Human Services. March 28, 2014. - 6 "HHS Policy for Records Management." US Department of Health and
Human Services. November 25, 2015.
Web Links
[return to top of this report]
- ARMA International: http://www.arma.org/
- HIPAA Journal: http://www.hipaajournal.com/
- National Archives and Records Administration: http://www.archives.gov/
- US Department of Health and Human Services: http://www.hhs.gov/
About the Author
[return to top of this report]
James G. Barr is a leading business continuity
analyst and business writer with more than 30 years’ IT experience. A member of "Who’s Who in Finance and Industry," Mr. Barr
has designed, developed, and deployed business continuity plans for a
number of Fortune 500 firms. He is the author of several books,
including How to Succeed in Business BY Really Trying, a member
of Faulkner’s Advisory Panel, and a senior editor for Faulkner’s
Security Management Practices. Mr. Barr can be reached via
e-mail at jgbarr@faulkner.com.
[return to top of this report]