For other articles and previous issues click here.

June 14, 2004

Document Management to the Rescue
By Laura Gater
Vol. 16 No. 12 p. 25

In today’s increasingly complex medical records environment, document management has proved to be a challenge. Health Insurance Portability and Accountability Act (HIPAA), Joint Commission on Accreditation of Healthcare Organizations (JCAHO), and other medical regulatory statutes and agencies require specific record keeping and maintenance. The overwhelming amount of paper records and different information management systems are huge barriers to full compliance with HIPAA and other regulations. Document management has become so much easier and more efficient today with the help of specialized software that helps medical organizations comply with the various dos and don’ts.

Document management software creates a secure archive of patient information, including paper-based documents, forms, and medical images. Perhaps most importantly, it also features an audit trail feature to ensure patient privacy. Built-in security safeguards enable only certain users to access patient records. HIPAA requires detailed audit records about the document source, document access privileges, log-on and log-off times, functions performed, and how the document left the system (either by deletion or transfer). Attempted retrieval and other security violations are also recorded. Audit logs cannot be modified and can be saved indefinitely.

“Each regulation has its own individual requirements, and each can create major headaches,” states Michael Hayworth, director of vertical solutions at Stellent, Inc. in Eden Prairie, Minn. “The common theme is that you need to be able to manage your documents in a way that allows you to determine who can access them. The insurance companies want to be able to disseminate records to various locations and need to be sure that only authorized persons have access to them.”

Without a document management strategy in place, retrieval and compilation of this disparate information is costly and time-consuming. For example, one organization that receives more than 900 requests per month must pay up to $50 per request (or $45,000 per month) just to retrieve the information from multiple departments.

The overwhelming amount of paper-based information and the problem of disparate information management systems are huge barriers to 1) increasing patient safety while improving the quality of patient care, 2) increasing profitability and improving cash flow, and 3) fully complying with HIPAA—and doing it all at the same time. A document management strategy can help organizations break through the barriers and achieve these objectives in a reasonable time frame.1

Records Management Implications of HIPAA
All medical records and other individually identifiable information are covered under HIPAA, regardless of format (eg, electronic, paper, or oral). Use and disclosure of such information requires consent or authorization from the patient and is subject to certain other exclusions.

Organizations must proactively safeguard individually identifiable health and healthcare-related information. Use and disclosure of protected health information is permitted for treatment, payment, and healthcare operations. Without explicit written permission from the individual, it is prohibited for all other purposes.

Organizations must implement policies and procedures related to information access to identify members of the workforce who need access to protected health information to carry out their duties; identify the categories of protected health information to which the above workforce members need access as well as the conditions for access; and limit access to only the identified workforce members and required information.

According to HIPAA regulations, organizations must also implement policies and procedures related to information disclosure for routine, recurring disclosures—disclosing only the “minimum necessary” amount of protected health information needed to reasonably achieve the purpose of the disclosure. For nonroutine disclosures, they must develop reasonable criteria for determining—and limiting the disclosure to—only the minimum amount of protected health information necessary to accomplish the purpose of the disclosure and establish and implement procedures for reviewing such requests on an individual basis in accordance with the criteria.

Under HIPAA, organizations are required to obtain an individual’s written consent to use and disclose protected information for the following primary purposes: marketing, fund-raising, and underwriting. Organizations must implement policies and procedures related to the use and disclosure of protected information to reasonably verify the identity and authority of the information requestor when the organization does not know the person requesting the protected health information. This should include taking reasonable steps to verify that the request is lawful.

HIPAA’s privacy rule may be preempted by state law if the state law is more restrictive or stringent.

All Record Formats Managed
Healthcare organizations must ensure that all records, regardless of format, are managed as part of their official records management programs. All records—paper, micrographic, electronic, or other—must be included as part of a comprehensive records management program. If a third party is engaged as the records management provider, then the covered entity is required to enter into a business associate’s agreement with such a third-party provider.

Document management companies’ climate-controlled, secure records centers should be configured to comply with JCAHO and other regulatory guidelines. Before selecting a document management software provider, make sure the provider’s services are backed by RHIAs and RHITs, credentialed professionals who have extensive training in and knowledge of the unique aspects of healthcare records management.

A request for information in a HIPAA-controlled environment may result in multiple requests for documents and information from several departments or even off-site locations, all to be supplied in a given time frame. The status of the request’s completion must be monitored by the requestor for timely completion to present the full response to the requestor. Document request management enables the generation and completion of the request in a singular, straight-line processing or multithread concurrent processing by several departments. The status will be tracked and completion notification sent to the requestor.

Document Security
One of HIPAA’s main concerns is the security of medical records, making encryption a key element of document management. Patient Keeper’s document management software program provides three layers of encryption as records are e-mailed. Handheld personal digital assistants (PDAs) and desktop computers have much tighter encryption and security than when they were first introduced. With imprisonment being one of the potential consequences of releasing medical information to the wrong person, healthcare professionals need to be able to rely on software to securely transmit and store records.

“All of our clinical results are retrievable on handheld and desktops,” says Jeff Sutherland, PhD, chief technical officer, Patient Keeper, Brighton, Mass. “There is much tighter security and encryption processes on handheld PDAs and desktop systems. We [Patient Keeper] support all Palm PDAs, Palm OS, and pocket PCs.”

Handheld PDAs can increase medical record security because they are portable and always with the physician or other medical personnel. They provide instant and easy access to patient records and are thus more efficient than paper records, which are not always accessible or easily located. Most document management software is compatible with the common PDAs.

According to Hayworth, document management software allows the owner to set rules on who has access to view different documents, where the documents can be delivered (electronically), and whether or not potential document users and viewers have met any specific requirement parameters that have been established.

“The challenge facing healthcare providers is straightforward: provide optimum levels of service and quality while operating as cost efficiently as possible,” explains Mark T. Rempe, Iron Mountain’s vice president of healthcare information systems. “It’s a mission-critical challenge further complicated by the need to optimize your real estate usage, ensure accessibility of healthcare records, and fully comply with a growing number of regulations. What’s more, data volumes, particularly volumes of electronic data, are growing exponentially as more clinical and diagnostic tools that store information become available. We understand the confidentiality issues, the need for accuracy, and the paramount requirement for speed.”

E-mail can be problematic, according to Hayworth, in that it is used to disseminate information across a limitless geographic area. Strict security precautions and encryption are required to limit access to medical case files that are sent from one location to another via e-mail (eg, a healthcare organization to a medical insurance provider for review). Stellent’s document management software and others can ensure that e-mail is secure and its security requirements and levels are in compliance with all appropriate regulations.

“Our qualified professionals can operate at a client’s offices and help with their facilities’ correspondence while adhering to and alerting your staff to the latest developments in state and federal laws,” says Rempe. “With Iron Mountain’s assistance with release of information [ROI] requests, clients can reduce costs, reduce red tape, and save time. Our correspondence representatives are knowledgeable professionals fully trained in all aspects of ROI. They understand the confidentiality and sensitivity of this information.”

Healthcare Records Management
More than 1,000 hospitals and 4,500 healthcare providers have partnered with Iron Mountain for secure, convenient off-site storage of their healthcare records. When they store medical files with Iron Mountain, they free current on-site storage space for more productive uses and reduce labor costs. In addition, they eliminate the need for costly microfilming.

“Iron Mountain ensures that files are secure and accessible for rapid retrieval and delivery—24 hours a day, seven days a week,” Rempe explains. “We’ll also work with clients to assist them in meeting compliance requirements with the latest federal and state regulations on healthcare records retention and release. We use an open-shelf filing system that adapts to the terminal digit filing system clients use for their medical records.”

Healthcare institutions also have a responsibility to protect the privacy of patient information after it is no longer needed. HIPAA regulations and other guidelines govern the disposal of confidential patient files. Corporate espionage and employee confidentiality issues are also a concern for nonpatient documents and records, according to Rempe. Many healthcare institutions rely on document management companies to completely and confidentially destroy their sensitive records, files, documents, and disks.

A Satisfied Customer
Washoe Health System, located in Reno, Nev., uses Stellent’s document management program to manage its forms, documents, and policies and procedures to meet JCAHO regulations. The software helps ensure that its policies meet JCAHO approval while keeping track of policy revision history, an important aspect of JCAHO regulations. Stellent’s product, like many other document management programs, has the capability of showing the revision history for policies and procedures. It can also post documents to the health system’s Web site without the need for a Web designer by allowing the information to go directly to the document library for automatic online posting.

“We maintain all of our HIPAA documents online, and the software helps us restrict access as required,” explains Brad Lindberg, Washoe Health System’s systems administrator. “It also allows us to keep our HIPAA policies updated and helps us keep our system paperless. The software can generate automated e-mails and keep track of whose e-mails have been sent to whom and what revisions or approvals they’ve made to any e-mail documents.”

Washoe examined three different software systems before purchasing one from Stellent. The health system’s main criteria was that the software would audit workflow, enable employees to log onto an intranet site to search policies and procedures, and retrieve documents at any time.

“Most organizations are moving toward complete electronic records,” says Hayworth. “The [document management] software gives you the flexibility to meet the various healthcare rules and regulations and standards from HIPAA and JCAHO, along with insurance and legal requirements. We design our software to implement business rules and we work with clients to install and configure their business rules.”

Careful Planning Needed
Creating and implementing a successful healthcare solution requires careful planning and definition: which particular documents to manage, HIPAA awareness, roles need to be defined, and the people and processes put into place to facilitate the effective use of the products. Each installation will need a professional services group to maximize the software application and ensure an optimal return on the organization’s financial investment. Professional services usually include the following: training key users, configuring servers, and installing document routing and templates.1

— Laura Gater’s medical and business trade articles have been published in Medical Imaging, 24x7, Podiatry Management, Veterinary Forum, Corrections Forum, and other national and online publications.

Reference
1. Rannells SH. Information Management Research White Paper Series: Using Document Management in a Healthcare Organization for HIPAA Compliance and Improved Operational Efficiency. April 2003.

Subscribe to For the Record Magazine!