Healthcare Document Imaging and Content Management Systems

SUNY Downstate ECM Case Study

CASO and HIPAA COMPLIANCE

What is HIPAA and what does it mean to be compliant to this standard?

HIPAA stands for Health Insurance Portability and Accountability Act. It is designed to standardize the industry on specific code sets and formats. Insurance payers, clearinghouses, and billing services have been spending enormous amounts of time and money to implement this regulation. The enforcement is handled by the Department of Health and Human Services Office of Civil Rights and is meant to be self-funding via the fines levied. In addition to standardizing the code sets and electronic frameworks, the law also established a minimum requirement for the protection and privacy of Personal Health Information (PHI). The specific parts of the regulation related to PHI include

Regulation: §164.530 (c) Administrative Safeguard of PHI
Regulation: §164.530 (c) Technical Safeguards of PHI
Regulation: §164.530 (c) Physical Safeguards for PHI
Regulation: §164.530 (i) Policies and Procedures
42 U.S.C. §1320d-2(d)(2) requires entities that maintain or transmit health information to “maintain reasonable and appropriate administrative, technical, and physical safeguards”

Law requires that covered entities must have Backup, Disaster Recovery and Media Controls in effect,

Regulation: §164.308 Disaster and Recovery Contingency Plans
Regulation: §164.308 Media Controls

Since every medical practice that files electronically must comply with these regulations or face fines of up to $25,000, the need for CASO products can be readily seen. Large hospitals, clinics and even single clinician offices will all be required to provide safeguards and security to the PHI in their care
 
How does CASO’s software address compliance from a business requirements perspective?

Our Document Management and Disaster Recovery solutions meet or exceed the needs of HIPAA, for both security and recoverability in the case of disaster.

CASO’s use of Documentum, combined with DiskXtender, meets and exceeds many healthcare organization needs for the image-enabled aspects of records management compliance under HIPAA. These solutions, configured appropriately, are broadly used to meet practical content management demands within the medical industry (references are available) In addition, many customers are using ApplicationXtender suites to address HIPAA compliance

CASO’s system provides comprehensive backup and recovery in heterogeneous environments, including Windows, UNIX, Linux and OpenVMS. Our solutions provide complete, online protection for multiple database systems, including Oracle, DB2, MS SQL Server, and Informix. Thus, CASO can provide support for your organization’s disaster recovery plan in accordance with HIPAA.
 
How does CASO address HIPAA from a technical requirements perspective?

These statements can be made regarding CASO’s ability to address requirements included within the HIPAA specification
 
Audit trails:

CASO’s use of the Documentum Content Management suite is ODMA compliant, a software industry standard, and enables comprehensive audit trails to be established for user management, access management and system monitoring functions for content capture and modification. In order to gain compliance, the Audit Trails functionality must be enabled. The audit trails keep the information and parameters in logs that must then be used to create the compliance reports for HIPAA. In order to generate these reports, an industry standard reporting package (such as Crystal Reports) must be obtained to generate the required documents based in the data tracked through the Documentum audit trails. Please refer to our comprehensive documentation for specific audit trail functionality. Additional audit functionality and reporting can be gained through our Professional Services

Security Access:

CASO’s Online Document Access (ODA) System offers multiple levels of security. ODA’s security offers encrypted connection for both network and web based user session initiations. Where appropriate, the use of secure sockets and other industry standard technologies are implemented. ODA provides for the granting of system access to users and to defined user groups. Also, administrators or “super users” can also be defined. In addition to system level access security, ODA offers Application, Functional and Document security.

System Security: Two alternative security models are offered for user management regarding access control and user/group privileges for system functions – Documentum Proprietary and through deferral to Windows security. Customized security deferral to alternate security protocols, such as Oracle, can be implemented by Professional Services
Application Level Security: This enables users and user groups to be granted access to only subsets of content based on the applications (libraries) defined within the system. Users and groups can only access the information contained within the applications to which they have rights.
Functional Security: This refers to security surrounding the functions that specific users or user groups can perform. With over 37 defined parameters privileges such as; add, delete, annotate, modify etc. defined and administered within the Content Management system. The privileges can be structured and held within the constraints to meet HIPAA compliance.
Document level security (DLS): Document level security provides an additional level of security at the individual document level within an application (library). Users and user groups can be inclusively or exclusively defined at the document level so that even with other privileges, specific content can either be presented or excluded based on the parameters established.
Additional Security or encryption functionality can be gained through integration or through our Professional Services if required.

Data Retention:

HIPAA requirements for information/data/records/image retention within the records management solution are specific. CASO’s use of DiskXtender’s standard functionality, implemented as the storage and archival component for ApplicationXtender, meets these requirements fully

Backup and Disaster Recovery:

As outlined above healthcare organizations are required to have disaster recovery and contingency plans in place. A solid backup and recovery strategy is a key component of disaster recovery, which can be addressed by CASO. More extensive disaster recovery plans might include remote mirroring, off-line media management or vaulting.
 

How can CASO help keep you in compliance?

Our opportunity to serve the healthcare industry is multifold.

Providing enterprise and individual office level disaster recovery services for HIPAA compliance, because CASO products are both scalable and easy to maintain. Many healthcare offices have only rudimentary, heterogeneous or outdated IS environments. In such areas, CASO software supports compliance and provides a pathway to the future.
 
CASO software reports HIPAA compliance surrounding security, privacy and access of patient information, and thus can be an ideal solution for healthcare organizations of any size – from clinics to integrated care delivery networks. Add-on capabilities provided by partners can streamline compliance reporting.
 
Hospitals, healthcare industry service providers and others that are implementing HIPAA compliant records management solutions still have the need for organized Content Management for the portions of their operations that are not affected by the HIPAA compliance requirements, such as materials management, receivables, human resources and other operational functions. Implementation of CASO’s Solutions in these areas can provide direct benefit to the healthcare organization’s bottom line.