Best Practices Guide
Hea
LtH
ca
re
Healthcare institutions are moving rapidly to adopt Electronic
Medical Records (EMR). Central to this effort is document
conversion — the scanning of new and existing records to
digital format.
However, document conversion involves much more than
scanning. Indeed, it touches on all aspects of records
management and HIPAA compliance, affecting paper and film
management, digital storage and archiving, and the transport
and transmission of patient information throughout a
healthcare facility.
Iron Mountain is the partner that can help you meet this
challenge. Our Document Conversion Services are part of a
total Iron Mountain EMR Enablement Solution designed to help
you move smoothly and in full compliance to a digital world.
Iron Mountain Document Conversion Services offer the
compliant solution you need to simplify and accelerate your
transition to the EMR.
Contents
3 EMR Transition: The
Growing Importance of
Document Conversion
5 The Value of Choosing a
Compliant Partner for
Document Conversion
7 Iron Mountain Document
Conversion Services: Part of a
Total EMR Enablement Solution
11 End-to-End Compliance
15 Conclusion
800 899 IRON (4766) / ironmountain.com 1
Hea
LtH
ca
re
1
tHe HiPaa-comPLiant aPProacH to emr transition
iron mountain document conversion services
HIPAA PRIMER SERIES
Hea
LtH
ca
re
1
Healthcare providers are faced with
daunting information challenges: Meeting
the new HIPAA regulations, achieving
best practices, and moving forward with
continuous improvement through the
transition to the EMR and beyond.
Meeting these challenges will require
transformational approaches, especially
in terms of document conversion.
3
Healthcare organizations are moving rapidly to digitize new
and existing patient records and films — to reduce costs,
improve efficiency, enhance patient care and meet the
government’s goals of adopting Electronic Medical Records.
While the EMR promises great benefits — such as quickly
and effectively providing access to the right records
throughout the treatment cycle and across a health
system — it also poses great challenges, especially in the
area of compliance. As hospitals transition from a paper to
digital environment, records are often maintained in a
hybrid state with complex workflows. Information is stored
in both digital and physical formats, as well as multiple
storage facilities, forcing providers to search across
various silos of information to find a single, complete
patient record. In order to overcome this information
management challenge, paper records and film should be
scanned, converted to digital, and managed throughout
the process in a manner that is secure, compliant and
cost-effective.
In short, HIPAA compliance plays a critical role in document
conversion and the transition to electronic records.
WHat tHe LaW requires
The HIPAA Privacy Rule requires establishing and
implementing measures to ensure the confidentiality,
integrity and availability of all Protected Health
Information (PHI), while the Security Rule addresses
safeguards specific to security of electronic data or ePHI.
Who must comply. Health plans, healthcare
clearinghouses, healthcare providers (also known as
“Covered Entities”), and business associates to whom
they provide health information.
What it covers. PHI includes any information about
health condition, treatment or payment for care that
can be related to an individual. The term is a broad one
and generally includes all information contained in a
patient’s medical record and payment history.
What the Penalties are. The government has ramped
up enforcement and penalties related to the protection
of patient information. Penalties can reach a maximum
of $1.5 million annually per type of violation. On the
enforcement side, state attorneys general, in addition
to the Department of Health and Human Services
(HHS), have been given authority to prosecute HIPAA
violations. In the future, we can expect the following:
1. Any civil monetary penalties recovered by HHS will
be used for their future enforcement efforts.
2. Individuals harmed by a violation may receive a
percentage of the penalties, thus encouraging both
patients and authorities to report violations.
tHe GroWinG imPortance of document conversion
emr transition
Not only is it important that your
institution be compliant, but HIPAA
now requires your third-party partner
be compliant as well. Choosing a
partner that understands the broader
issues will enable you to maintain
HIPAA compliance and keep pace with
emerging government initiatives.
5
cHoosinG a comPLiant Partner for document conversion
Document conversion, by itself, is a straightforward
process. Documents are scanned in a digital format and
transmitted directly into your EMR system. But, the
conversion process raises many complex issues related
to compliance and the transition to the EMR.
For example:
— How will you manage the redundancies and
inconsistencies common in paper-based legacy systems?
— How will you design, implement and control the
complex workflows of a hybrid environment?
— How will you store electronic records in a way that
makes them accessible, compliant and affordable?
— Will you be able to maintain retention and destruction
schedules that meet regulations and your own
requirements so you store only the records you need to
store, whether paper or digital?
Document conversion is at the nexus of HIPAA compliance,
where paper and electronic records converge. Thus,
hospitals must choose a document conversion partner that
understands the broader issues. Such a partner will not
only help you convert documents cost-effectively, but will
also enable you to efficiently move to the EMR while
maintaining HIPAA compliance and keeping pace with
emerging government initiatives like the American
Recovery and Reinvestment Act (ARRA).
Document conversion, along with the move to the EMR, is
a daunting challenge, but with the right partner you will be
able to reap long-term benefits for your organization and
your patients.
•
As a core component of the Iron
Mountain EMR Enablement Solution,
our Document Conversion Services
digitize paper records and film in a
manner that is secure, compliant and
cost-effective, to help you accelerate
your transition and begin realizing
the full benefits of your system.
7
At Iron Mountain we understand the challenges and opportunities inherent in
the EMR transition process. That’s why the Iron Mountain EMR Enablement
Solution provides a holistic approach to transition. We leverage a combination
of specialized imaging programs, data backup and archiving services and secure
records storage to build a customized solution that helps you efficiently manage
information in the hybrid environment and accelerate your migration to the EMR.
At the core of this solution are our Document Conversion Services, which
integrate seamlessly with your existing systems and processes to help you
cost-effectively convert your paper records and films to electronic format.
Our Document Conversion Services provide:
— Capabilities that align with relevant HIPAA guidelines.
— A large footprint of secure local and regional Record Centers.
— The experience and best practices gained from scanning over 10 million pages
per month at our more than 110 Imaging Centers.
— Highly trained personnel.
— High-speed scanners and industry-leading software for fast conversion and
high-quality images.
— Direct integration with major EMR systems or delivery via a secure FTP site.
— Secure, offsite archiving and backup for storing electronic patient data.
— A documented chain of custody that ensures patient records are protected
throughout the entire process.
Part of a totaL emr enaBLement soLution
iron mountain document conversion services
stay in controL
WitH iron mountain
connect™
As a service to our customers,
we provide Iron Mountain
Connect. This highly secure
Web-based system offers you
access to the tools and
applications you need to easily
and cost-effectively manage
your document conversion and
other records activities.
With Iron Mountain Connect,
you can:
— Quickly locate physical records
in the hybrid environment.
— Easily schedule documents
for conversion.
— Consistently manage the
retention and destruction of
physical records.
— Assign employee
authorization levels and
monitor access.
PaPer document scanninG
We work with you to build a compliant, cost-effective
digital workflow, allowing you to select any combination
of our imaging options to meet your operational and
regulatory needs.
day-forward conversion. Even after you establish an
EMR solution, certain records will continue to be created
on paper. You will need a compliant solution for converting
these documents to electronic format as soon as possible
and integrating them into the record. Day-Forward Conversion
helps you build a workflow that seamlessly puts your
organization’s newest records into an electronic format. Our
experts work closely with your staff to define a plan for
automatically digitizing records not created electronically
from a designated date onward — helping you establish a
convenient, cost-effective way to streamline processes and
minimize future storage requirements and costs.
image on demand™. The Iron Mountain Image on
Demand service gives you the flexibility to digitize only
what you need, when you need it, and deliver it in a timely
manner. Image on Demand enables you to selectively
convert only the portions of the patient record required for
clinical care, encrypted for secure transmission to the EMR
system and avoiding the costs typically associated with a
large-scale conversion initiative.
Backfile conversion. Iron Mountain can help you establish
a fast, efficient process for the bulk conversion of paper
records to electronic format. Our Backfile Conversion
process employs a project-based approach focusing on
converting a specific subset of your existing records — such
as those generated within the last year only — enabling
you to rapidly populate your EMR system, while keeping
costs under control.
fiLm diGitization
To help our healthcare partners move to a fully digital
environment, Iron Mountain also provides full scanning and
digitization services for our radiology customers.
X-ray on demand. Iron Mountain X-ray on Demand
provides a scanning and digitization service for radiology
customers storing analog films with Iron Mountain. When
an x-ray study is requested, we retrieve, digitize and then
convert the film to a standard format. It is then indexed,
encrypted for security, and sent to your PACS or a quality
control station.
X-ray on Demand lowers total cost of ownership and
enables a healthcare provider to proactively plan for
managing historical radiology records as an integral part
of the conversion to a fully filmless radiology environment.
Whatever Iron Mountain Document Conversion Service
you choose, you can feel confident your information will
remain highly protected yet readily accessible throughout
the conversion process. Our holistic approach not only
helps you cost-effectively convert your documents but
also offers you access to the data backup and archiving
solutions necessary to ensure that, once created, your
electronic data is fully protected and preserved.
8
The Bottom Line:
Iron Mountain ensures our
Document Conversion Services are
compliant with HIPAA regulations,
so you can be compliant too.
Iron Mountain has established proven workflows for document conversion based
on best practices, and we apply these workflows consistently throughout our
operations. We operate Imaging Centers across the country, which are staffed
by trained personnel and equipped with the latest technologies, security
systems, and careful monitoring of every action and process.
The bottom line is, we make sure our Document Conversion Services are
compliant with HIPAA regulations, so you can be compliant too.
Key requirements of tHe HiPaa Privacy and security ruLes
The HIPAA Privacy Rule is intended to ensure that Protected Health Information
is not used or disclosed inappropriately or without the patient’s permission. The
Security Rule is specifically designed to protect PHI that is used and stored
electronically. Both aspects of the rule apply to document conversion. HIPAA
rules cover three broad areas of activities:
— administrative safeguards. Operational processes and procedures, such as
training, workflow, and the release of information, to ensure information is
always handled according to policy. This section of HIPAA also requires a
contingency plan, also known as a disaster recovery plan.
— Physical safeguards. Physical controls, such as locks, access to keys and
supervision, to protect against unauthorized physical access.
— technical safeguards. Data-related information systems and associated
controls, such as database security, network protection and user authorizations
and passwords, to protect data from software intrusions and attacks.
end-to-end comPLiance
iron mountain document conversion services
10
11
administrative safeGuards
HIPAA requires that PHI and ePHI be protected and secured throughout all
stages of document conversion. This means documented procedures for
operational processes such as training, workflow and contingency planning must
be put in place to ensure that information is always handled according to policy.
Iron Mountain meets this requirement, and helps you meet it, in several ways.
access and uses. Iron Mountain uses and discloses PHI only for the purpose of
delivering our services in response to requests from our customers, as required
under HIPAA. To make sure this happens, we:
— Physically restrict access to customer PHI during transit, conversion and storage
of both the original paper documents and the converted electronic records.
— Electronically track and maintain an auditable log of all tasks and
operations performed.
— Provide you with tools to manage how your employees access digital records
through Iron Mountain Connect.
Privacy Policies and Procedures. Iron Mountain has established standard
operating procedures for our imaging and records conversion processes, and
these procedures are uniformly applied at each of our Imaging Centers. Our
staff is trained on our document imaging procedures, and adherence is verified
through regular site inspections.
Workforce training and management. HIPAA requires training of workers
who handle PHI. Iron Mountain’s training program for document conversion is
thorough and compliant. Since document conversion invariably involves the
handling of patient information, our Imaging Center staff receives training and
instruction on HIPAA regulations. In addition, our workforce management
procedures include:
— Comprehensive background checks for new hires.
— Comprehensive training specifically addressing HIPAA requirements.
— Code of Conduct and Ethics Training.
mitigation. In order to achieve and maintain compliance, you must evaluate
the security and compliance of your document conversion program on a regular
basis. Iron Mountain has a team dedicated to monitoring HIPAA requirements
and evaluating our compliance. This team proactively tracks changes to industry
regulations and works with Iron Mountain operations personnel on an ongoing
basis to improve processes, mitigate risks, and ensure continued compliance.
data safeguards. Processes should be in place to safeguard data at all stages
of document conversion. Iron Mountain maintains data safeguards for records in
our care across all operations and for all personnel. Safeguards include:
— Restricted access to customer PHI throughout transit, scanning, storage
and disposal.
— Monitoring and tracking of all activities.
— Highly secure, best-in-class facilities protected by state-of-the-art
security systems.
document conversion
comPLiance cHecKList
HIPAA regulations now require
your business associates, as well
as your own institution, to be
compliant. Iron Mountain maintains
the following policies and procedures
to promote compliance.
AdministrAtive
Fully documented chain
of custody
Policy of accessing and
retrieving only the minimum
information needed to perform
a specific job or task
Written protocols and training
for handling Protected Health
Information
Documenting and monitoring
workflows
Web software to help you
manage and track records-
related activities
Audit trail and documentation
of physical and electronic
disposal policies and procedures
Screening of employees using
comprehensive background
checks
12
documentation and record retention. HIPAA requires documentation
that records are protected throughout their lifetime, up to and including their
destruction. Iron Mountain helps you maintain compliance by using Iron Mountain
Connect, which allows you to capture and manage the retention status of your
documents. Once documents have been scanned, original files may be stored
securely at Iron Mountain facilities or destroyed using compliant destruction
processes, which include multiple sign-offs, audited chain of custody and a
Certificate of Destruction.
contingency Plan. Iron Mountain’s contingency planning for Document
Conversion Services includes multiple layers. A minimum of two business
document scanners are installed in each Imaging Center, providing in-center
redundancy and backup capability. In addition, our scanners are under regular
maintenance contracts to help minimize unscheduled downtime.
Furthermore, all of our Imaging Centers utilize highly redundant, centralized
back-end processors. This offers you a high degree of reliability and protection
as it enables each Imaging Center to provide recovery for the other centers in
the event of a disaster. Our Disaster Recovery services offer:
— Centralized management that allows application software and supporting
documentation to be distributed to any site in minutes.
— Standard operating procedures for consistent operations regardless of
physical location.
— Centralized processors that use redundant, fault-tolerant equipment.
— Centralized back-end processors located in an Iron Mountain Data Center that
is 220 feet underground in a geographically stable location; the backup site is
in a similar secure underground location over 500 miles away.
audit trail. Iron Mountain maintains — and helps you maintain — an auditable
trail of all activities related to document conversion. You always know where
your documents are, whether paper or electronic, and you can produce a variety
of reports to meet both HIPAA requirements and your own administrative policies.
Among the ways we help you meet the auditing requirement:
— Secure Web-based portal providing the ability to track, manage and report on
document conversion and all other aspects of records management.
— All records requests are logged and recorded in Iron Mountain SafeKeeper PLUS®.
— Tracking and logging by Iron Mountain of all tasks and operators.
— Consistent workflows that guide all activities related to scanning and other
records activities.
document conversion
comPLiance cHecKList
PhysicAl
Centralized location or vendor
for storage of physical records
and conversion services
Physical access controls, such
as locked facilities and visual
monitoring
Intrusion detection and
alarm systems
Environmental controls,
fire detection and
suppression systems
Secure destruction of electronic
records in accordance with
retention policies
technicAl
Firewall and virus protection
Secure password protection
Role-based access rules, so
users can access only the
software and data to which they
have been granted access
Unique user IDs to identify and
track users
Monitoring of Iron Mountain
employees who log on and gain
access to data
Automated backup of all
records at separate locations
Direct integration with major
EMR systems or delivery via a
secure FTP site
13
PHysicaL requirements
HIPAA requires you and your partners to have controls such as locks, restricted
access to keys, and supervision to ensure computer systems and patient
information are protected from unauthorized physical access. At Iron Mountain,
we’ve developed what we believe are the highest standards for facility security
in the industry. Our facility standards include:
— Placement of facilities outside of high risk areas, with comprehensive risk
assessment processes for all facilities.
— Careful incorporation of physical access controls.
— Advanced fire-suppression controls with both ceiling and in-rack sprinkler systems.
— Intrusion detection systems, monitored by a central station.
— Strictly enforced process controls for the admittance and monitoring of
personnel entering and exiting facilities.
— Mandatory facility audits to enforce accountability and monitor compliance
with standards.
— Geographically separated, world-class underground data centers.
tecHnicaL requirements
HIPAA requires safeguards for data-related information systems and associated
controls, such as database security, network protection and user authorizations
and passwords, which protect ePHI and control access to it. Iron Mountain
employs advanced technical security measures for our role in the storage and
transmission of information. We will also work closely with your IT staff to help
you implement compliant best practices within your own organization.
Our technical safeguards include:
— Firewall and virus protection.
— Secure password protection.
— Role-based access rules, so users can access only the software and data to
which they have been granted access.
— Unique user IDs to identify and track user identity.
— Monitoring of Iron Mountain employees who log on and gain access to data.
— Direct integration with major EMR systems or delivery via a secure FTP site.
In addition, our Document Conversion Services offer additional safeguards to
protect information integrity, such as:
— Centralized scanning for uniform quality across Imaging Centers.
— Automated contrast, brightness and threshold adjustments to optimize
image quality.
— Multi-feed detection to prevent page overlaps and missed images.
— VirtualReScan software, a software option that offers automated color
detection and capture, content-based image rotation, image deskewing, image
despeckling, image cropping, blank page removal, background suppression,
and hole punch fill-in.
Beyond Compliance
Iron Mountain goes beyond compliance.
We employ best practices developed
through our years of experience working
with leading healthcare institutions
around the country. This best-practice
approach ensures all reasonable
measures are taken to protect patient
information, to remain in good standing
with the law, and to promote a positive
image in the community.
15
The transition to EMR is accelerating, and so is the importance
of document conversion.
As part of the Iron Mountain EMR Enablement Solution, our Document
Conversion Services offer more than just a comprehensive approach to
conversion — we offer the confidence and peace of mind that our solution is
time-tested and compliant. Our Imaging Centers are built on years of best-
practice experience at the country’s leading hospitals. We have a staff trained to
the highest standards and state-of-the-art equipment. With Iron Mountain, you
get the conversion services necessary to accelerate your EMR transition, while
ensuring your information remains securely protected yet readily accessible
throughout the process.
To learn more about our HIPAA-compliant Document Conversion Services for
healthcare, contact us today at 1-800-899-IRON (4766).
concLusion
aBout iron mountain. Iron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company Web site at www.ironmountain.com for more information.
© 2011 Iron Mountain Incorporated. All rights reserved. Iron Mountain, the design of the mountain, LiveVault, Digital Record Center, SafeKeeper PLUS, Iron Mountain Connect and Image on Demand are trademarks or registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks are the property of their respective owners.
US-HIS-EXT-WP-100510-001
tHe HiPaa Primer
800 899 IRON (4766) / ironmountain.com 16
HIPAA PRIMER SERIESOur HIPAA Primer Series offers you in-depth insights into the proven best practice policies and
procedures Iron Mountain employs to ensure that our solutions not only meet but exceed
HIPAA requirements.
To learn more about how a specific solution can help you ensure your information remains
highly secure yet readily accessible throughout its lifecycle, check out our other best practice
guides from this series, including:
irOn mOUntAin clOUd stOrAge sOlUtiOns
HIPAA-Compliant Solutions for Health Information Challenges
irOn mOUntAin dAtA PrOtectiOn services
Proven, Trusted and HIPAA-Compliant Media Management
irOn mOUntAin dOcUment cOnversiOn services
The HIPAA-Compliant Approach to EMR Transition
irOn mOUntAin recOrds mAnAgement services
HIPAA-Compliant Solutions That Keep You Compliant
irOn mOUntAin releAse Of infOrmAtiOn services
Coming Soon