Key Document Management System Features

R&G LCMS

The paperless office is here to stay, with many businesses, large and small, making the move to online storage. Document management systems come in various forms. Some are simple online filing systems, others are complex with features such as access control, audit trails, encryption, and data backup. The type of information a business maintains is a driver for the type of security needed as a safeguard. For example, law firms often need a system associated with case files that safeguard client personal health care information. A small business many need a billing document management system.  

A robust document management system should offer multiple layers of protection. For example, access controls allow individuals permission to access data. Two examples are personal identification numbers and passwords. Some passwords are specialized and require special characters. The more complex the password, the less likely a hack will occur. Audit trails are another means of protection which provide a history of who viewed certain data and when. It allows for the tracking of a source of a breach. Lastly, encryption provides a way to share files securely as well as limits the viewing of certain documents.  

A good document management system also has a data backup feature. This occurs when data is replicated to an additional system such as the cloud. Theft, data loss, or a natural disaster are just a few reasons to incorporate redundancy into the system as data redundancy is essential for speedy and seamless recovery. If there is no built-in redundancy, the opportunity for recovery of files may be forever lost. The key to redundancy is to balance the redundancy so that data remains as clean and up to date as possible.  

Document collaboration is a more sophisticated feature of an online system. This feature allows for mark up, versioning, searchability, e-signature and customized security. While overkill for some businesses, the features are essential for others.  

Customer support is essential for any document management system. A standard method for contacting the developer should be known and responses should come quickly when there are questions. A client portal with a help button is a common feature for many systems.  

R&G offers clients a Legal Case Tracking System as a secure means of online case storage information. The Legal Case Management System (LCMS) is an integral part of workflow management at R&G. LCMS is a state-of-the-art database providing anytime-anywhere access to case details, retrieved medical records, and completed work products. 

There are no additional fees associated with access. All of R&G’s medical legal consulting or document management clients can: 

  • Track case deadlines and status of records in real time 
  • Access medical records and completed work products 
  • Data is safe and private! LCMS uses BOTH redundant storage (to protect your data in real-time) AND frequent backups (to protect data in case of disaster) 

If you need assistance with a case, please call R&G Medical Legal Solutions at 1-888-486-2245. 

Medical Abbreviations

The use of medical abbreviations has been used since the development of medicine and is a longstanding practice. They are thought to save time and space when writing medical records. Additionally, they are cost effective and can be customized. While many healthcare facilities have gone to electronic records, the practice of handwritten records still exists, thus the continuance of handwritten medical abbreviations.  

Paper records are prone to errors. Illegible writing causes confusion and at times, a delay in care due to a need for follow up with the author for clarification; especially when it comes to medication orders and dispensing. Many abbreviations may have more than one meaning and the staff interpreting the record may not be familiar with the abbreviation being used.  

In 2005 The Joint Commission, an enterprise that accredits and certifies healthcare organizations, adopted a list that is forbidden to be used by Joint Commission accredited facilities. Below is the list along with an explanation of the potential problem.  

*DO NOT USE POTENTIAL PROBLEM USE INSTEAD  
U, u Mistaken for “0” (zero), the number “4” (four) or cc Write “unit” 
IU (international unit) Mistaken for IV (intravenous) or the number ten (10) Write “International Unit” 
Q.D., QD, q.d., qd (daily)   Mistaken for each other  Write ‘daily” 
Q.O. D., QOD, q.o.d., qod Period after the Q mistaken for “I” and the “O” mistaken for “I” Write “every other day” 
Trailing zero (X.o mg) (Applies to medication orders) Decimal point is missed  Write X mg Write 0.X mg 
MS     MSO4 and MgSo4 Can mean Morphine Sulfate or Magnesium Sulfate   Confused for one another  Write “morphine sulfate” Write “magnesium sulfate” 

 2020 The Joint Commission Fact Sheet 

*List does not apply to preprogrammed health information technology systems.  

The Joint Commission has made a recommendation to not sure the symbols for “greater than” or “less than” as they may be interpreted for the letter L or the number 7. The symbol for at (@) is discouraged because it may be misinterpreted as the number 2. Instead, providers should write out the words, “greater than”, “less than” or “at” as they appropriately apply in the chart.  

Misinterpretation of abbreviations may result in patient harm to include death. R&G nurses are skilled at reading handwritten records and recognized when a contributing error has occurred. If you are an attorney and need help with your case, please contact R&G at 1-888-486-2245. 

HIPAA Certification, To Do or Not To Do

Catherine Beasley, MS, BSN, LNCC 
Dec 2020 

Breaches of protected health information are becoming commonplace.  The US Department of Health and Human Services, Office for Civil rights now publishes a Breach Report Results which can be accessed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.   

Hospitals and health care organizations must report breaches affecting more than 500 people to the Department of Health and Human Recourses as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  A breach of more than 500 patients’ information may result in the organization’s name on the Department of Health and Human Resources website.  Simply stated, breaches of protected health information are bad for the business of health care organizations.  Patients are left to wonder about the ability of the organization to provide safe, effective care.  After all, if an organization can’t manage paper, how can they manage safe care?   
 
The Health Insurance Portability and Accountability Act (HIPAA) training is now available online by third party vendors.  Training can be done at the convenience of the trainee and both individual and corporate rates are provided.  Seminars ranging from one or two days are also offered nationwide and pricing varies by vendor.   

The Department of Health and Human Services is very clear in that breaches of protected health care information are unacceptable regardless of the number of victims impacted.  However, does having a HIPAA certification mean an organization is better able to secure the personal data of those they serve?  There are two schools of thought to consider.  First, the training and knowledge will support safe practice and thus decrease risk of any potential breaches.  Training will also increase the confidence level of staff in managing protected health information and recurring training allows the trainee access to up to date information regarding HIPAA.   

An opposing view is that the Department of Health and Human Services does not endorse or recognize HIPAA certifications regarding security rules and warns against misleading marketing claims.   

“We have received reports that some consultants and education providers have claimed that they or their materials or systems are endorsed or required by HHS or, specifically, by OCR. In fact, HHS and OCR do not endorse any private consultants’ or education providers’ seminars, materials or systems, and do not certify any persons or products as HIPAA compliant.” 

The HHS website goes on to reflect:  

“There is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation. 

Given certification is not mandatory it is up to an organization to ensure compliance is achieved.  Investment in training, while not required, is an organization decision based on the level of comfort and ability to meet requirements.   

Breach Portal, (n.d.).  Retrieved 23 Nov 2020  from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 

HHS.gov. (n.d.).  Are we required to “certify” our organization’s compliance with the standard security rule?  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html 

HHS.gov. (n.d.) What you should know about OCR HIPAA privacy rule guidance materials.  Retrieved 23 Nov 2020 from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/be-aware-misleading-marketing-claims/index.html 

Why hackers are going after healthcare records…

 

When data is stolen from a bank, it quickly becomes useless once the breach is discovered and passwords are changed. However, data from the healthcare industry, which includes both personal identities and medical histories, can live and affect people for a lifetime.

Cyberattacks will cost society more than $305 Billion over the next five years.   According to industry consultancy, Accenture, 1 in 13 patients will have their data compromised as a result.

chart

The healthcare sector is uniquely vulnerable to privacy breaches.  Recent government regulations have required healthcare providers to adopt electronic health records (EHR) under the Patient Protection and Affordable Care Act.  This has the potential to expose patient data to potential compromise unless providers make equal investments in the security of the systems used to house and manage that data.   To comply with legal requirements, healthcare organizations often store detailed medical information for many years. The probability of a breach and the potential severity of the consequences increases according to the amount of data store and the length of time it is stored.

To a hacker, healthcare records contain valuable information, including Social Security numbers, home addresses, and patient histories. Criminals can sell this data for a premium on the black market, providing incentive to focus attacks on the healthcare industry.

With the push toward integrated care, medical data is being shared with many different entities whose employees may have access to patient records. This extended access to medical records also increases the potential for privacy breaches.

In summary, as companies move to digital record-keeping, the industry is so focused on regulatory compliance, that cybersecurity has largely been a secondary thought. Companies with legacy systems are trying to connect to and integrate EHRs. Security is not always considered an integral part of that, and patching systems are always filled with issues.

Source:

https://www.accenture.com/t20150723T115443__w__/us-en/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_19/Accenture-Provider-Cyber-Security-The-$300-Billion-Attack.pdf