Workflow Technology and HIPAA Compliance: Challenges and Best Practices
By Dan Waldinger
Health care is continually challenged with properly managing information. Because it has traditionally operated in a paper-intensive environment, that struggle continues, even while most providers have begun to actively transition to EHR systems. While work is being done to ensure that EHR systems are better able to "talk" to each other and to other health information systems, the day-to-day experience of many health care organizations is still rooted in paper and in the need to print, copy, scan, and fax innumerable paper documents.
Because virtually all health care organizations use electronic transactions of one form or another (eg, billing and payment) even their paper records are subject to the HIPAA privacy and security rules. If health care organizations aren't careful with how they use these office devices, the risk of noncompliance can greatly increase. As a result, it is incumbent upon health care providers—regardless of size—to institute sound data-handling practices.
To ensure compliance with HIPAA (and other data privacy and security rules), health care organizations must implement policies and procedures tailored to the work that they do as well as to the size of their organization. HIPAA is not a one-size-fits-all regulatory regime, and best practices for data privacy and security programs demand attention to the specific operating environment of each and every health care provider.
Once an organization has its policies and procedures in place, it must conduct a risk assessment and repeat it annually (or even more frequently if it changes any of its hardware, software, or other controls). This includes taking an inventory of assets that may be related to health data—including office equipment such as scanners, printers, fax machines, and copiers—to identify both the breach potential inherent in those pieces of equipment and their related software tools, and the steps taken to minimize the likelihood of a data breach. At the same time, a health care organization should also be thinking about how to ensure data integrity.
Maintaining good data "hygiene" with paper records and files is made easier when one has access to user-friendly, compliant software and equipment, with workflows implemented to take full advantage of their technical capabilities. Knowledgeable solution providers can work with you and your team to acquire and integrate the hardware and software necessary to ensure the best practices described above. Some examples of this include the following:
• Locking individual machine functions by user (specifically features such as print, copy, scan, fax send, fax receive, and personal computer fax). This control specifically limits the ability of unauthorized users to share data inappropriately. The "key" can be a near field communication-enabled device, a swipe card, or an individual key code.
• Allowing a user to password-protect print jobs to secure a document until that user enters a personal identification number via the machine's control panel. (This prevents sensitive documents from sitting unattended in the output trays of shared printers.)
• Scanning sensitive or confidential documents to a secure file transfer protocol site, securing information as soon as it is scanned.
• Ensuring that all faxes are received into memory and cannot be printed without a password.
• Preventing unauthorized users from sending faxes, limiting the potential for inappropriate sharing of personal health information.
• Enabling secure faxing and fax forwarding to help maintain patient confidentiality.
• Designing equipment to support facedown printing and faxing, which guards against inadvertent unauthorized document viewing.
• Bypassing hard-copy printouts by using a personal computer-to-fax or "e-fax" function.
• Relaying faxes to clinicians on the go with fax forwarding, which improves their efficiency and reduces potential data breaches related to fax printouts.
• Scanning integration with some EHR systems.
The key principle that binds these functionalities together is the minimization of exposure of protected health information to anyone but the personnel who have a need to know. This approach, informed by the regulatory environment and underpinned by the hardware and software capabilities of compliant information systems, enables the workflows needed to provide care while maintaining compliance with required data privacy and security policies. The end result is a more efficient use of copiers and printers, with significantly reduced risk created by noncompliance.
— Dan Waldinger is director of services and solutions marketing for Brother International Corporation, which provides resources, self-assessment tools, and solutions to help midsized health care organizations reduce document-related costs and increase efficiencies. With more than 25 years of industry experience, Waldinger leads the Brother initiative ThinkOptimize.