Be updated, subscribe to the OpenKM news

HIPAA Document Management and Compliance

Written by Paulina Rodriguez on 5 October 2018

The Health Insurance Portability and Accountability Act, HIPAA, was enacted by the Congress of the United States of America on August 21, 1996, becoming the first act of defense for the rights of members and their families; with the main objective of facilitating the portability of coverage of medical insurance and exercising strict control over the confidentiality and integrity of user information.

The HIPAA law has five basic principles:

  • Security - the service providers are responsible for the protection and unauthorized disclosure of the medical information of their patients.
  • Consumer control - gives the consumer control over the disclosure of his medical history.
  • Limits - The use of information is limited to treatments and payments.
  • Public responsibility - balances private protection and public responsibility, emphasizing the fight against fraud and possible abuses by medical service providers and their allies.
  • Penalties - includes federal sanctions that include fines and even imprisonment.

The application of the HIPAA law is extensive, applies to doctors, nurses, laboratories, pharmacies, clinics, rehabilitation centers of all medical conditions, geriatric centers, health insurers, general health plans of employers, government programs such as Medicare and Medicaid and in general to any provider of medical services.

The HIPAA law has a general rule of privacy that allows health organizations and related providers to use the protected health information of users only for issues directly related to medical treatment and payments, for all other uses written authorization is required that lifts the protection of the data granted by law.

This law requires companies and personnel related to health services in the American territory to effectively comply with HIPAA security technical standards that ensure the protection of their clients' information, covering three indivisible aspects of guarantees: administrative, physical and technical. The administrative guarantees are related to the regulatory compliance designed to control the conduct and ethical character of the personnel that enters and processes the information in the management systems, as well as the electronic distribution of this information. The physical guarantees are related to the technical processes established for the protection of real estate and physical equipment related in some way to the protection of information against natural and environmental risks or possible intrusions. Finally, the technical guarantees are related to all the processes and workflows that are designed to protect, maintain control and, above all, monitor access to information in medical records.

In addition, the law indicates that the guarantees must be supported by documented processes that must be disseminated to all associates and related to the medical provider, who must guarantee compliance with the privacy policies of the medical information of its users. Moreover, depending on the size of the provider of medical services, the law requires the existence of a privacy officer who is responsible for monitoring the compliance with privacy policies.
HIPAA grants rights to users of the health system that allows them to request access to their medical history, to know how and with whom their medical information has been shared with exact dates of the delivery of information, to request detailed reports of the reasons why their medical information has been shared (these reports must be delivered to users free of charge once a year), request review and corrections in their medical histories following a protocol already established in the law, file complaints, and even request not to share medical information with specific recipients such as employers, sellers or others, without the express written authorization of the user.

The rights granted to the users through the standards of the HIPAA law, oblige the providers of medical services, including people and companies related to them, to maintain reliable document management systems that allow them to access medical history information with quick recovery, by using keywords, metadata and other elements with detailed search capabilities; Access to electronic medical records in emergencies can mean the difference between life and death, so timely access becomes a priority. A content manager used for this purpose must also have an excellent capacity for digital transformation of all physical information that is generated in medical records, not only for their electronic access but also as a security measure against external threats that may damage paper documents. The providers of medical services are obliged to maintain a record of version control of the medical history of their users, especially when requests for correction of information are made in the records and when information is added to each record, i.e., the safety of electronic medical records must be maintained in static, transit and use. For providers of medical services that use electronic signatures, HIPAA requirements mandate that they maintain a system that meets a standard that guarantees user authentication and message integrity; the law does not require the use of electronic signatures. Likewise, in the cases that apply, the systems used must have the capacity to carry out the safe destruction of medical information so that it can not be recovered by third parties for unauthorized purposes. HIPAA regulations do not require the use of any specific system or technology, and its application may vary depending on the size of the organization and the needs of each location and the type of medical services that are provided.

The appearance of electronic medical records obliges the providers of medical services to protect the security of information, and to reinforce the control of the admission and dissemination processes of patient information, especially since most of the cases of claiming Violation of patient information is caused by errors committed by medical services personnel. Document managers must be dynamic and offer a wide variety of options to filter and detect errors that may generate violations of the privacy of patients because of this. Patient information security standards that must be monitored include disclosure, modification, alteration, or unauthorized destruction of medical information.

The sanctions for violations of the privacy of the medical information of patients in the United States established in the HIPAA law are of a civil and criminal nature. These sanctions range from economic fines of up to 25,000 USD for repeated violations in the same year, fines of 250,000 USD or even ten years in prison for misuse of medical information; so the handling of medical information must be taken very seriously. The HIPAA law was reinforced by the HITECH - Health Information Technology for Economic and Clinical Health - Act enacted in February 2009, which promotes the tightening of sanctions already established in HIPAA, additionally HITECH incorporated financial incentives to medical service providers that integrate the technologies according to the regulations in the established times.


The OpenKM document management system helps medical service providers comply with all the guarantees and legal requirements contained in HIPAA and HITEC.

OpenKM currently serves clients of the medical sector internationally. A sector of highly regulated activity, strategically important at a socio-economic, regional and national level. As well highlighted in the description of HIPPA, the management of medical records obliges health service providers to take extreme safety measures. OpenKM is a document and electronic records management system, so it is prepared to assume the administration of this type of content. To start, only users with a username and password can access the system. In addition, the assignment of roles and profiles defines the work areas, the functionalities and therefore determines the tasks and actions that a user can perform. The third level of security management of OpenKM is applied at the granular level. Any node (folder, registry, document, email - including attachments) presents its own security section in OpenKM, in which the administrator can determine who can see, edit, download, delete, etc., each node at a group or individual level. This method of managing content security provides flexibility and accuracy to adapt electronic document management to all possible scenarios.

In addition, the Health Insurance Portability and Accountability Act states that the guarantees must be supported by documented processes, which must be disseminated among all partners. From the Wiki tab of the properties panel of any file, the user can consult the documents that define each process. If there is any doubt, users can use OpenKM's online chat to communicate, or they can open a query in the Forum section, where other users can respond or add their opinions.

The administrative and health management processes can be automated in OpenKM, thus avoiding human errors, ensuring exhaustive compliance with the procedures and avoiding deviations in compliance with the current policy in the organization. The provider of medical services can also create workflows thanks to the workflow engine integrated with the document manager. It allows streamlining processes while ensuring the coordination of personnel, departments or areas involved in the achievement of a process or service.

These functionalities can be used in combination with the Zonal OCR engine and the OpenKM scanner client. In particular, these two elements allow the organization to implement the office without papers in the development of its daily activities, while at the same time serving as a means of applying the digital transformation. If before, doctors, nurses or clinic assistants were subject to paper management; now with OpenKM any healthcare professional can access the necessary information with a click and satisfy the patient's need in real time, complete a report at the moment, or register an online petition.

The HIPPA law also obliges the organizations of the sector to maintain exhaustive control of the medical history of patients. In OpenKM you can set version control; through the history tab users can see the versions through which a document has passed, who the author was, the date; they can even download different versions to the current one. Most importantly, the differences between versions will be highlighted. This way we can better determine the contributions of each author. The Activity log allows us to carry out a complete audit of all the events that have taken place on the health documentation, who has accessed, when and what has been done on the file. When a document, registration or folder contains information especially relevant to us, we can subscribe to it, so we will receive real-time notifications about any change that occurs to the content.

Organizations can also make use of more advanced functionalities to streamline processes and procedures, without undermining compliance with legal, regulatory and quality criteria. The document management system can be used as a registration system for requests, complaints or acknowledgements. Through automation in the document manager, the user who fills in the form will be able to see an assistant who will inform him, step by step, about the data he or she needs to add. Part of the automation could launch a workflow of analysis, management, review or approval of requirements made by patients. These data would form part of the information collected as Reports in OpenKM since the document manager can provide reports on any relevant aspect.

The archive plan can be used to guarantee document management according to the established organizational policies, ensuring the correct destruction of the information and documentation when necessary.

In summary; The OpenKM document manager can help in compliance by the following means:

  • Storage of documentation related to patient records such as test results, medical reports, etc.
  • Guarantee security at the level of access: who can and who cannot access data.
  • Administrators can audit who has accessed and when.
  • Identify documentation distributed by users.
  • Record and store patient requests.
  • Make detailed reports on who and when has accessed the documentary resources.
  • Modify access of the information of certain recipients without express written authorization.
  • Version control which allows you to view the changes made to documents, by whom and when.

Contact us

CAPTCHA ImageRefresh Image

Don't hesitate to contact us

OpenKM in 5 minutes!