When HIPAA was signed into law in 1996, modernizing and streamlining medical records access goals were part of the primary focus of the law. To make that happen, document scanning evolved from simply sending a copy of a paper document through fax to today’s advanced optical character recognition scanners that can almost eliminate the need for paper or film records.
Document scanning has made the process more straightforward, but healthcare companies and others subject to HIPAA regulations must consider more than convenience. What should you look for in HIPAA compliant document scanning?
HIPAA Compliant Document Scanning – The Basics
How an organization manages patients’ protected health information (PHI), both in physical and electronic (ePHI) formats, is the core of HIPAA compliance. HIPAA rules and regulations require the same standards of privacy and security for PHI in any form: whether files are in paper or electronic format and whether they are stored in filing cabinets, hard drives, server farms, or mobile computing devices.
The method of protecting this information varies widely based on its format. But HIPAA compliance is a pass/fail exercise. There is no such thing as partial credit. Each year, covered entities and business associates must conduct a security risk assessment of 5-6 audits to identify potential gaps in HIPAA compliance.
Part of that risk assessment is an audit of all devices used to store and process ePHI. There are also minimum data security standards required by the HIPAA Security Rule.
The HIPAA Privacy Rule establishes standards regarding access to ePHI by staff and accidental exposure. All of the guidelines and standards of HIPAA must be met to achieve compliance.
HIPAA Compliant Document Sharing – Things to Remember
Scanning allows HIPAA compliant document sharing without the need to ship boxes of paper records. Effectively protecting PHI requires more than simply scanning and shredding documents. If your organization is audited by investigators from the Department of Health and Human Services Office for Civil Rights, you must be able to demonstrate what happened to patient PHI before, during, and after the scanning process.
Here are five things that must be considered anytime you want to complete a HIPAA compliant document sharing project successfully.
- Maintain Audit Trails
HIPAA is as much about what you can prove as what you do. When PHI is part of a document scanning project, you must know where the data is and who has access to it at all times. The scanning company or your facility should record who has handled, viewed, or modified all documents containing PHI. When employees access records after the project is completed, these audit trails should also be built into your record storage and retrieval system. - Physical Security
Countless HIPAA fines have been assessed because of lapses in the physical security of patient records containing PHI and ePHI. Security measures range from keeping records locked away properly to requiring proper credentials to access data. - Data Security
The HIPAA Security Rule requires minimum standards, including firewalls, 24-hour network monitoring, encryptions, and advanced antivirus programs. Incorporating zero-trust tools like multi-factor authentication is a minimum requirement for maintaining security. - Document Recovery
Disasters happen. Whether natural or man-made, an effective document recovery plan is the difference between minutes of downtime and months of rebuilding information. Everyone entrusted with PHI should have practical and realistic disaster recovery plans in place. - Background Checks
PHI is one of the most targeted and trafficked types of information by cybercriminals. Because of the wealth of information contained with PHI, it is imperative that any employee who has access to this data go through a thorough background check.
HIPAA Compliant Document Scanning – The Mobile Morass
A few years ago, scanning documents required dedicated machines wired into your computer networks. Today, even the most basic smartphones and tablets have the ability to scan documents on the go.
President Bill Clinton signed the Health Insurance Portability and Accountability Act into law in 1996. At that time, there were only around 44 million active mobile phones, all of which were limited to voice and text messaging. Laptop computers were expensive ($3,000+) and limited, having just introduced an innovation called the “trackpad” to eliminate the need for an external mouse.
Since then, mobile device use has grown exponentially. It is estimated that there are more than 285 million smartphones in use in the U.S. today, any of which would run circles around the laptops from 1996. Add to that nearly 245 million laptops in use, and mobile devices are now ubiquitous in businesses, homes, and the general culture.
A doctor has the ability to snap a photo of notes, x-rays, or other data and have it scanned into a patient’s record. Before that happens, one must be confident that they are using a HIPAA complaint scanning app. Many of the products available on the various app stores are not HIPAA compliant in any way. Using these applications would violate HIPAA rules and could result in a substantial fine or settlement.
HIPAA Compliant Document Scanning – Final Thoughts
Whether you’re looking for HIPAA compliant mobile scanning or traditional scanning services, you don’t have to go it alone. Compliancy Group’s automated compliance solution can help your organization establish a culture of compliance that will eliminate the worry around fulfilling the requirements of HIPAA.