Gajus - Fotolia


Document control practices in the age of HIPAA

The time has come to bring information governance stakeholders together to develop a practical plan for document management and data privacy for HIPAA compliance.

Information is the lifeblood of any organization, but having access to too much -- especially personally identifiable information -- can cause problems if the proper document control practices aren't in place.

It's now more important than ever to keep information out of the wrong hands. The Identity Theft Resource Center reports that there were 781 data breaches in 2015 -- the second-highest year on record since the ITRC began tracking breaches in 2005.

Lawyers, for example, are taking a closer look at the Health Insurance Portability and Accountability Act (HIPAA) privacy rule and their responsibility to keep client health information within their firms private. The fines for noncompliance are enormous, so it is imperative that everyone in firms understands their roles in document control practices.

The HIPAA privacy rule

HIPAA establishes national standards to protect individuals' medical records and other personal health information. It applies to health plans, healthcare clearinghouses and healthcare providers that conduct certain electronic healthcare transactions. The overall objective is to protect the privacy of personal health information and set limits and parameters on the access and use of such information without patient authorization.

Law firms must make reasonable efforts to protect their clients' information from anyone who doesn't require access to that information to do their jobs. This action is called a pessimistic model for document management. Law firms have traditionally operated in an optimistic model for document management, which allows access to pretty much everything. However, the rise of the data breach has most definitely changed the game.

Data privacy: Not just a technology issue

Information protection is not just an IT issue, and data breaches should not be viewed simply as a breakdown in technological controls. Every department -- indeed, every employee -- has a part to play in the security of information under the HIPAA privacy rule. The reality is that all firms must acknowledge the enterprise-wide disruption that can occur when a data breach is discovered. The firms that prepare ahead of time will not only be able to withstand the data breach, but they can also safeguard their positive reputation for their clients, partners and employees. Making the choice to implement an information governance and security program is the first step toward data protection.

Not Just a Paper Issue

While the majority of data breaches involve electronic files, paper files are also susceptible. Of the data breaches reported by the Identity Theft Resource Center, about 30 of them were deemed to be a paper data breach. For example, one insurance company reported more than 5,000 records were exposed in March of last year. What was the nature of the breach? Eleven people were charged with identity theft and credit card fraud after an employee allegedly printed and shared screenshots of more than 5,000 subscriber profiles. Most of the other paper data breaches reported included vandalism or break-in charges. All of this is a result of poor document management.

Document control: Where to begin

Law firm records managers and information governance professionals should work to develop a program for how information is managed and then communicate the data protection requirements to all attorneys and staff personnel.

A point to remember is data protection applies to both physical and electronic records. Therefore, a proper chain of custody workflow must be part of the data protection requirements. Chain of custody helps organizations understand the who, what, when, where and why of a particular document.

For physical records, barcode tracking and RFID technology are the leading tools in this arena, while a document management system will fit the bill for electronic records since it is able to capture this type of metadata.

Of course, proper security permissions apply no matter if the information is paper or electronic. Physical records can be stored in locked cabinets and encrypted. Electronic records should utilize some sort of encryption software to prevent information falling into the wrong hands. There is no shortage of these types of tools on the market today. 

Next Steps

How SharePoint affects patient documentation

HIPAA and the cloud: A balancing act at Blue Cross and Blue Shield

Hospital pays the price after data breach

Dig Deeper on Cloud-SaaS online collaboration tools