1 Best Practices Guide HIPAA Primer series HEALTHCARE Iron Mountain Document Conversion Services The HIPAA-compliant approach to EMR transition Contents 3 EMR Transition: The Growing Importance of Document Conversion 5 The Value of Choosing a Compliant Partner for Document Conversion 7 Iron Mountain Document Conversion Services: Part of a Total EMR Enablement Solution 11 End-to-End Compliance 15 Conclusion Healthcare institutions are moving rapidly to adopt Electronic Medical Records (EMR). Central to this effort is document conversion the scanning of new and existing records to digital format. However, document conversion involves much more than scanning. Indeed, it touches on all aspects of records management and HIPAA compliance, affecting paper and film management, digital storage and archiving, and the transport and transmission of patient information throughout a healthcare facility. Iron Mountain is the partner that can help you meet this challenge. Our Document Conversion Services are part of a total Iron Mountain EMR Enablement Solution designed to help you move smoothly and in full compliance to a digital world. Iron Mountain Document Conversion Services offer the compliant solution you need to simplify and accelerate your transition to the EMR IRON (4766) / ironmountain.com 1
2 Healthcare providers are faced with daunting information challenges: Meeting the new HIPAA regulations, achieving best practices, and moving forward with continuous improvement through the transition to the EMR and beyond. Meeting these challenges will require transformational approaches, especially in terms of document conversion.
3 EMR Transition The Growing Importance of Document Conversion Healthcare organizations are moving rapidly to digitize new and existing patient records and films to reduce costs, improve efficiency, enhance patient care and meet the government s goals of adopting Electronic Medical Records. While the EMR promises great benefits such as quickly and effectively providing access to the right records throughout the treatment cycle and across a health system it also poses great challenges, especially in the area of compliance. As hospitals transition from a paper to digital environment, records are often maintained in a hybrid state with complex workflows. Information is stored in both digital and physical formats, as well as multiple storage facilities, forcing providers to search across various silos of information to find a single, complete patient record. In order to overcome this information management challenge, paper records and film should be scanned, converted to digital, and managed throughout the process in a manner that is secure, compliant and cost-effective. In short, HIPAA compliance plays a critical role in document conversion and the transition to electronic records. What the law requires The HIPAA Privacy Rule requires establishing and implementing measures to ensure the confidentiality, integrity and availability of all Protected Health Information (PHI), while the Security Rule addresses safeguards specific to security of electronic data or ephi. Who Must Comply. Health plans, healthcare clearinghouses, healthcare providers (also known as Covered Entities ), and business associates to whom they provide health information. What It Covers. PHI includes any information about health condition, treatment or payment for care that can be related to an individual. The term is a broad one and generally includes all information contained in a patient s medical record and payment history. What the Penalties Are. The government has ramped up enforcement and penalties related to the protection of patient information. Penalties can reach a maximum of $1.5 million annually per type of violation. On the enforcement side, state attorneys general, in addition to the Department of Health and Human Services (HHS), have been given authority to prosecute HIPAA violations. In the future, we can expect the following: 1. Any civil monetary penalties recovered by HHS will be used for their future enforcement efforts. 2. Individuals harmed by a violation may receive a percentage of the penalties, thus encouraging both patients and authorities to report violations. 3
4 Not only is it important that your institution be compliant, but HIPAA now requires your third-party partner be compliant as well. Choosing a partner that understands the broader issues will enable you to maintain HIPAA compliance and keep pace with emerging government initiatives.
5 Choosing a compliant partner for Document Conversion Document conversion, by itself, is a straightforward process. Documents are scanned in a digital format and transmitted directly into your EMR system. But, the conversion process raises many complex issues related to compliance and the transition to the EMR. For example: How will you manage the redundancies and inconsistencies common in paper-based legacy systems? How will you design, implement and control the complex workflows of a hybrid environment? How will you store electronic records in a way that makes them accessible, compliant and affordable? Document conversion is at the nexus of HIPAA compliance, where paper and electronic records converge. Thus, hospitals must choose a document conversion partner that understands the broader issues. Such a partner will not only help you convert documents cost-effectively, but will also enable you to efficiently move to the EMR while maintaining HIPAA compliance and keeping pace with emerging government initiatives like the American Recovery and Reinvestment Act (ARRA). Document conversion, along with the move to the EMR, is a daunting challenge, but with the right partner you will be able to reap long-term benefits for your organization and your patients. Will you be able to maintain retention and destruction schedules that meet regulations and your own requirements so you store only the records you need to store, whether paper or digital? 5
6 As a core component of the Iron Mountain EMR Enablement Solution, our Document Conversion Services digitize paper records and film in a manner that is secure, compliant and cost-effective, to help you accelerate your transition and begin realizing the full benefits of your system.
7 Iron Mountain Document Conversion Services Part of a total EMR enablement solution At Iron Mountain we understand the challenges and opportunities inherent in the EMR transition process. That s why the Iron Mountain EMR Enablement Solution provides a holistic approach to transition. We leverage a combination of specialized imaging programs, data backup and archiving services and secure records storage to build a customized solution that helps you efficiently manage information in the hybrid environment and accelerate your migration to the EMR. At the core of this solution are our Document Conversion Services, which integrate seamlessly with your existing systems and processes to help you cost-effectively convert your paper records and films to electronic format. Our Document Conversion Services provide: Capabilities that align with relevant HIPAA guidelines. A large footprint of secure local and regional Record Centers. The experience and best practices gained from scanning over 10 million pages per month at our more than 110 Imaging Centers. Highly trained personnel. High-speed scanners and industry-leading software for fast conversion and high-quality images. Direct integration with major EMR systems or delivery via a secure FTP site. Secure, offsite archiving and backup for storing electronic patient data. A documented chain of custody that ensures patient records are protected throughout the entire process. Stay in control with Iron Mountain Connect As a service to our customers, we provide Iron Mountain Connect. This highly secure Web-based system offers you access to the tools and applications you need to easily and cost-effectively manage your document conversion and other records activities. With Iron Mountain Connect, you can: Quickly locate physical records in the hybrid environment. Easily schedule documents for conversion. Consistently manage the retention and destruction of physical records. Assign employee authorization levels and monitor access. 7
8 Paper Document Scanning We work with you to build a compliant, cost-effective digital workflow, allowing you to select any combination of our imaging options to meet your operational and regulatory needs. Day-Forward Conversion. Even after you establish an EMR solution, certain records will continue to be created on paper. You will need a compliant solution for converting these documents to electronic format as soon as possible and integrating them into the record. Day-Forward Conversion helps you build a workflow that seamlessly puts your organization s newest records into an electronic format. Our experts work closely with your staff to define a plan for automatically digitizing records not created electronically from a designated date onward helping you establish a convenient, cost-effective way to streamline processes and minimize future storage requirements and costs. Image on Demand. The Iron Mountain Image on Demand service gives you the flexibility to digitize only what you need, when you need it, and deliver it in a timely manner. Image on Demand enables you to selectively convert only the portions of the patient record required for clinical care, encrypted for secure transmission to the EMR system and avoiding the costs typically associated with a large-scale conversion initiative. Backfile Conversion. Iron Mountain can help you establish a fast, efficient process for the bulk conversion of paper records to electronic format. Our Backfile Conversion process employs a project-based approach focusing on converting a specific subset of your existing records such as those generated within the last year only enabling you to rapidly populate your EMR system, while keeping costs under control. Film Digitization To help our healthcare partners move to a fully digital environment, Iron Mountain also provides full scanning and digitization services for our radiology customers. X-ray on Demand. Iron Mountain X-ray on Demand provides a scanning and digitization service for radiology customers storing analog films with Iron Mountain. When an x-ray study is requested, we retrieve, digitize and then convert the film to a standard format. It is then indexed, encrypted for security, and sent to your PACS or a quality control station. X-ray on Demand lowers total cost of ownership and enables a healthcare provider to proactively plan for managing historical radiology records as an integral part of the conversion to a fully filmless radiology environment. Whatever Iron Mountain Document Conversion Service you choose, you can feel confident your information will remain highly protected yet readily accessible throughout the conversion process. Our holistic approach not only helps you cost-effectively convert your documents but also offers you access to the data backup and archiving solutions necessary to ensure that, once created, your electronic data is fully protected and preserved. 8
9 The Bottom Line: Iron Mountain ensures our Document Conversion Services are compliant with HIPAA regulations, so you can be compliant too.
10 Iron Mountain Document Conversion Services End-to-end compliance Iron Mountain has established proven workflows for document conversion based on best practices, and we apply these workflows consistently throughout our operations. We operate Imaging Centers across the country, which are staffed by trained personnel and equipped with the latest technologies, security systems, and careful monitoring of every action and process. The bottom line is, we make sure our Document Conversion Services are compliant with HIPAA regulations, so you can be compliant too. Key Requirements of the HIPAA Privacy and Security Rules The HIPAA Privacy Rule is intended to ensure that Protected Health Information is not used or disclosed inappropriately or without the patient s permission. The Security Rule is specifically designed to protect PHI that is used and stored electronically. Both aspects of the rule apply to document conversion. HIPAA rules cover three broad areas of activities: Administrative Safeguards. Operational processes and procedures, such as training, workflow, and the release of information, to ensure information is always handled according to policy. This section of HIPAA also requires a contingency plan, also known as a disaster recovery plan. Physical Safeguards. Physical controls, such as locks, access to keys and supervision, to protect against unauthorized physical access. Technical Safeguards. Data-related information systems and associated controls, such as database security, network protection and user authorizations and passwords, to protect data from software intrusions and attacks. 10
11 Administrative Safeguards HIPAA requires that PHI and ephi be protected and secured throughout all stages of document conversion. This means documented procedures for operational processes such as training, workflow and contingency planning must be put in place to ensure that information is always handled according to policy. Iron Mountain meets this requirement, and helps you meet it, in several ways. Access and Uses. Iron Mountain uses and discloses PHI only for the purpose of delivering our services in response to requests from our customers, as required under HIPAA. To make sure this happens, we: Physically restrict access to customer PHI during transit, conversion and storage of both the original paper documents and the converted electronic records. Electronically track and maintain an auditable log of all tasks and operations performed. Provide you with tools to manage how your employees access digital records through Iron Mountain Connect. Privacy Policies and Procedures. Iron Mountain has established standard operating procedures for our imaging and records conversion processes, and these procedures are uniformly applied at each of our Imaging Centers. Our staff is trained on our document imaging procedures, and adherence is verified through regular site inspections. Workforce Training and Management. HIPAA requires training of workers who handle PHI. Iron Mountain s training program for document conversion is thorough and compliant. Since document conversion invariably involves the handling of patient information, our Imaging Center staff receives training and instruction on HIPAA regulations. In addition, our workforce management procedures include: Comprehensive background checks for new hires. Comprehensive training specifically addressing HIPAA requirements. Code of Conduct and Ethics Training. Document Conversion Compliance Checklist HIPAA regulations now require your business associates, as well as your own institution, to be compliant. Iron Mountain maintains the following policies and procedures to promote compliance. Administrative Fully documented chain of custody Policy of accessing and retrieving only the minimum information needed to perform a specific job or task Written protocols and training for handling Protected Health Information Documenting and monitoring workflows Web software to help you manage and track recordsrelated activities Audit trail and documentation of physical and electronic disposal policies and procedures Screening of employees using comprehensive background checks Mitigation. In order to achieve and maintain compliance, you must evaluate the security and compliance of your document conversion program on a regular basis. Iron Mountain has a team dedicated to monitoring HIPAA requirements and evaluating our compliance. This team proactively tracks changes to industry regulations and works with Iron Mountain operations personnel on an ongoing basis to improve processes, mitigate risks, and ensure continued compliance. Data Safeguards. Processes should be in place to safeguard data at all stages of document conversion. Iron Mountain maintains data safeguards for records in our care across all operations and for all personnel. Safeguards include: Restricted access to customer PHI throughout transit, scanning, storage and disposal. Monitoring and tracking of all activities. Highly secure, best-in-class facilities protected by state-of-the-art security systems. 11
12 Documentation and Record Retention. HIPAA requires documentation that records are protected throughout their lifetime, up to and including their destruction. Iron Mountain helps you maintain compliance by using Iron Mountain Connect, which allows you to capture and manage the retention status of your documents. Once documents have been scanned, original files may be stored securely at Iron Mountain facilities or destroyed using compliant destruction processes, which include multiple sign-offs, audited chain of custody and a Certificate of Destruction. Contingency Plan. Iron Mountain s contingency planning for Document Conversion Services includes multiple layers. A minimum of two business document scanners are installed in each Imaging Center, providing in-center redundancy and backup capability. In addition, our scanners are under regular maintenance contracts to help minimize unscheduled downtime. Furthermore, all of our Imaging Centers utilize highly redundant, centralized back-end processors. This offers you a high degree of reliability and protection as it enables each Imaging Center to provide recovery for the other centers in the event of a disaster. Our Disaster Recovery services offer: Centralized management that allows application software and supporting documentation to be distributed to any site in minutes. Standard operating procedures for consistent operations regardless of physical location. Centralized processors that use redundant, fault-tolerant equipment. Centralized back-end processors located in an Iron Mountain Data Center that is 220 feet underground in a geographically stable location; the backup site is in a similar secure underground location over 500 miles away. Audit Trail. Iron Mountain maintains and helps you maintain an auditable trail of all activities related to document conversion. You always know where your documents are, whether paper or electronic, and you can produce a variety of reports to meet both HIPAA requirements and your own administrative policies. Among the ways we help you meet the auditing requirement: Secure Web-based portal providing the ability to track, manage and report on document conversion and all other aspects of records management. All records requests are logged and recorded in Iron Mountain SafeKeeper PLUS. Document Conversion Compliance Checklist Physical Centralized location or vendor for storage of physical records and conversion services Physical access controls, such as locked facilities and visual monitoring Intrusion detection and alarm systems Environmental controls, fire detection and suppression systems Secure destruction of electronic records in accordance with retention policies Technical Firewall and virus protection Secure password protection Role-based access rules, so users can access only the software and data to which they have been granted access Unique user IDs to identify and track users Monitoring of Iron Mountain employees who log on and gain access to data Automated backup of all records at separate locations Direct integration with major EMR systems or delivery via a secure FTP site Tracking and logging by Iron Mountain of all tasks and operators. Consistent workflows that guide all activities related to scanning and other records activities. 12
13 Physical Requirements HIPAA requires you and your partners to have controls such as locks, restricted access to keys, and supervision to ensure computer systems and patient information are protected from unauthorized physical access. At Iron Mountain, we ve developed what we believe are the highest standards for facility security in the industry. Our facility standards include: Placement of facilities outside of high risk areas, with comprehensive risk assessment processes for all facilities. Careful incorporation of physical access controls. Advanced fire-suppression controls with both ceiling and in-rack sprinkler systems. Intrusion detection systems, monitored by a central station. Strictly enforced process controls for the admittance and monitoring of personnel entering and exiting facilities. Mandatory facility audits to enforce accountability and monitor compliance with standards. Geographically separated, world-class underground data centers. Technical Requirements HIPAA requires safeguards for data-related information systems and associated controls, such as database security, network protection and user authorizations and passwords, which protect ephi and control access to it. Iron Mountain employs advanced technical security measures for our role in the storage and transmission of information. We will also work closely with your IT staff to help you implement compliant best practices within your own organization. Our technical safeguards include: Firewall and virus protection. Secure password protection. Role-based access rules, so users can access only the software and data to which they have been granted access. Unique user IDs to identify and track user identity. Monitoring of Iron Mountain employees who log on and gain access to data. Direct integration with major EMR systems or delivery via a secure FTP site. In addition, our Document Conversion Services offer additional safeguards to protect information integrity, such as: Centralized scanning for uniform quality across Imaging Centers. Automated contrast, brightness and threshold adjustments to optimize image quality. Multi-feed detection to prevent page overlaps and missed images. VirtualReScan software, a software option that offers automated color detection and capture, content-based image rotation, image deskewing, image despeckling, image cropping, blank page removal, background suppression, and hole punch fill-in. 13
14 Beyond Compliance Iron Mountain goes beyond compliance. We employ best practices developed through our years of experience working with leading healthcare institutions around the country. This best-practice approach ensures all reasonable measures are taken to protect patient information, to remain in good standing with the law, and to promote a positive image in the community.
15 CONCLUSION The transition to EMR is accelerating, and so is the importance of document conversion. As part of the Iron Mountain EMR Enablement Solution, our Document Conversion Services offer more than just a comprehensive approach to conversion we offer the confidence and peace of mind that our solution is time-tested and compliant. Our Imaging Centers are built on years of bestpractice experience at the country s leading hospitals. We have a staff trained to the highest standards and state-of-the-art equipment. With Iron Mountain, you get the conversion services necessary to accelerate your EMR transition, while ensuring your information remains securely protected yet readily accessible throughout the process. To learn more about our HIPAA-compliant Document Conversion Services for healthcare, contact us today at IRON (4766). 15
16 THE HIPAA PRIMER HIPAA Primer series Our HIPAA Primer Series offers you in-depth insights into the proven best practice policies and procedures Iron Mountain employs to ensure that our solutions not only meet but exceed HIPAA requirements. To learn more about how a specific solution can help you ensure your information remains highly secure yet readily accessible throughout its lifecycle, check out our other best practice guides from this series, including: IRON MOUNTAIN Cloud Storage SOLUTIONS HIPAA-Compliant Solutions for Health Information Challenges Iron Mountain data protection services Proven, Trusted and HIPAA-Compliant Media Management iron mountain document conversion Services The HIPAA-Compliant Approach to EMR Transition Iron Mountain records management services HIPAA-Compliant Solutions That Keep You Compliant Iron Mountain release of information services Coming Soon About Iron Mountain. Iron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company Web site at for more information Iron Mountain Incorporated. All rights reserved. Iron Mountain, the design of the mountain, LiveVault, Digital Record Center, SafeKeeper PLUS, Iron Mountain Connect and Image on Demand are trademarks or registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks are the property of their respective owners. US-HIS-EXT-WP IRON (4766) / ironmountain.com 16