EDRMS' crucial role in HIPAA compliance
By Russ Edelman and Wes Settle
All healthcare organizations were required last year to become compliant with the Transaction Rule and Privacy Rule implemented as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The "Cliffs Notes" definition of HIPAA is to provide minimal and only necessary levels of confidential patient information to the healthcare community and other people/organizations requiring access to such information. As organizations have worked to meet the standards, electronic document and records management systems (EDRMS) have been recognized as a solid foundation for establishing HIPAA-compliant systems.
While healthcare organizations have embraced EDRMS technology for some time, it is only recently that HIPAA compliance has become a business objective unto itself. Furthermore, the level of sophistication and intra-healthcare organization integration varies among the organizations urgently looking to share information across their respective boundaries while adhering to all necessary HIPAA regulations.
Healthcare organizations (HCO) come in all shapes and sizes. They consist of hospitals, doctors' offices, insurance companies, health maintenance organizations (HMO) companies, preferred provider organizations (PPO), medical labs and an assortment of other company types. They may be for-profit, non-profit or not-for-profit. While the corporate structures vary, the common denominator across them is that they contain confidential patient information that must be protected in accordance with HIPAA regulations.
Based on research and interviews with a collection of the different organizations, HIPAA compliance is separated into two priorities:
- Compliance must be established and maintained within the respective organization.
- Any interaction with outside organizations must ensure that the necessary levels of HIPAA-compliant confidentiality is maintained as information is shared between organizations.
In the first case, HCOs have traditionally distributed confidential information across a collection of different mediums. Patient medical records—such as waivers, charts, audio files, photographs, notes and other confidential information types—are stored on network drives, handheld devices, local hard drives, picture archiving and communication systems (PACS) such as X-ray equipment and, of course, physical paper. While central files exist, the lack of secured control and inappropriate information access ultimately served as one of the catalysts for the HIPAA initiative.
EDRMS technology today has been greatly enhanced to accommodate virtually every information type. While PACS imagery is still predominant in its respective systems and repositories, the balance of all unstructured information is quickly making its way into the EDRMS. PACS and EDRMS content is normally accessed in a consolidated or "joined" fashion through a centralized medical record system (MRS). Those medical record systems are normally the transactional backbone behind a HCO, dealing with the patient's billing information that is typically more structured. In some cases, the medical record systems may embed documents directly into the database, so that issue too must be addressed. When considering those and other complementary systems, a well-mapped security infrastructure must exist between the MRS platform, the EDRMS platform and the PACS platform. In the absence of any common security model or synchronization, users must deal with a multitude of login IDs, which can lead to a lot of complexity and a possible void in HIPAA compliance.
In all of those systems, HIPAA is mandating that access to confidential information is role-based. In that capacity, only individuals who serve in designated capacities (i.e. roles) at designated times can see the patient's confidential information. Additionally, detailed audit trails must be maintained with regard to how information is accessed and by whom. Finally, information maintained in the EDRMS must be systematically destroyed in accordance with all state and/or federal retention requirements.
For all of those reasons, EDRMS technology serves as an ideal vehicle for HIPAA compliance within an HCO. Centralizing information into the EDRMS means that a uniform approach to role-based security can be used; extensible retention management programs can be leveraged to properly store, archive and destroy information; and audit trails can be fully employed to determine who has performed what action on what piece of information.
While EDRMS technology clearly serves as a foundation for HIPAA compliance, it is also important to note that HCOs realize an immediate, tangible value in being able to find information more quickly. In fact, HIPAA actually mandates retrieval times of no more than 30 days for on-site records, and 60 days for off-site records. HCOs, like so many other organizations, desperately need a centralized repository to simplify searching and accessing information. EDRMS metadata can also help in the patient coding standards implemented by HIPAA. Most medical facilities have internal codes that are used for treatment and billing purposes. HIPAA seeks to standardize those codes as well. EDRMS metadata allows the codes to be used and searched on as part of the storage and retrieval process. That can often serve as an important justification for an EDRMS investment.
David Partsch, an architect with Geisinger Health System is keenly aware of these HIPAA issues as well as the value of EDRMS. Geisinger was using Tower Technology's EDRMS product even before the HIPAA requirements, and sees compliance as a natural extension of the tool's inherent capabilities.
"The core of Tower's products, as is the case with so many other EDRMS solutions, serves as an effective foundation for developing a HIPAA-compliant environment," Partsch says. "The bigger challenge is to deal with the information beyond the control of the EDRMS. Specifically, files and papers that are not imported/scanned into the system require procedural compliance that extends beyond the boundaries of the EDRMS platform."
So, the proverbial horse led to the water resonates in this scenario. The EDRMS is only effective when information is placed into the system. The HCO must have an effective policy to ensure that information is migrated to the EDRMS and that original source files are destroyed. Otherwise, all control is lost.
Regarding HIPAA's impact on future planning, Partsch says, "Geisinger must spend more time in the beginning of a project to ensure that all standard operating procedures, project implementation schedules and security models are fully thought through relative to any HIPAA compliance issues. This increases the effort, however, not by a huge order of magnitude as compared to pre-HIPAA EDRMS planning."
Sharing with partners
That leads us to the second priority listed at the beginning of this article—sharing information across HCOs. Many are just barely slipping under the wire for internal HIPAA compliance, let alone HIPAA compliance for sharing information across their partner organizations. In time, a unified, standards-based information exchange may present itself; however, for now, a simplified approach is being pursued by most HCOs.
Specifically, it appears that the first baby step in sharing information under HIPAA compliance is based on the facilitated, auditable importation of documents from an external system to an internal system. For example, a series of documents and associated metadata stored in one EDRMS may be exported from one HCO to another. Information can be transferred via secure FTP, encrypted e-mail or private VPN. In the process, detailed audit trails and security mappings would require updating on both systems to ensure that HIPAA compliance remains intact.
A question, which has yet to be answered, is the process of archiving and destroying duplicate records that are contained in two systems. At this time, HCOs are only concerned about the process as it relates to information contained within their system and not the original source system, if it was imported initially. That level of sophistication may be a future baby step.
The complexities of providing a true information interchange that accommodates all the necessary security parameters defined under HIPAA are still overly complex. Issues such as consistent password length and expiration as well as staff role changes are incredibly challenging across organizations. In the future, exposed Web services may be made available and standardized for the exchange of information across EDRMS. While that may facilitate the automated exchange of information, a Herculean effort will still be required to ensure that all security and metadata mapping maintains the proper level of integrity.
A snapshot of HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) seeks to standardize formats for information exchange within and between healthcare organizations. That includes all healthcare organizations, even physician offices, health plans, billing agencies, information systems vendors, services organizations, hospitals and universities.
The U.S. Department of Health and Human Services devised the privacy rule to comply with HIPAA. That rule required that all patient information be kept confidential and that access to the information be audited. It includes patient billing information as well as medical records. Records are to be kept secure at all times with access limited to only those people who require access for records transfer or other official purposes.
The privacy rule represents the first set of national standards for the protection of that patient information. It also represents a need to consolidate records into a system where access and modification can be strictly audited. The privacy rule requires that information passed between organizations be exchanged under security standards, including encrypting e-mails, using secure FTP, using secure HTTP and using private VPN.
Russ Edelman is president and founder of Corridor Consulting (corridorconsulting.com), e-mail firstname.lastname@example.org. Wes Settle is a senior consultant with Corridor; email@example.com.