l ea hipaa-compliant solutions h that ... - business services
TRANSCRIPT
Best Practices Guide
Hea
LtH
ca
re
HiPaa-comPLiant soLutions tHat keeP you comPLiant
iron mountain records management services
Contents
3 PhysicalRecords:TheOngoing
ComplianceChallenge
5 WorkingwithanOutsideVendor:
TheAdvantagesofaCompliant
RecordsManagementPartner
7 IronMountainRecords
ManagementServices:
SolutionsYouCanTrust
13 HIPAAComplianceandBeyond
17 Conclusion
800899IRON(4766)/ironmountain.com 1
Maintainingpaperpatientrecordsinacompliantmanner
remainsamajorchallengeformosthealthcareproviders.This
inherentlydifficulttaskiscomplicatedbymultipledepartments,
thousandsofpatients,andtheduelingrequirementsofeasy
accessandHIPAA-levelsecurity.
That’swhymanyleadinghealthcareorganizationsrelyonIronMountain.Our
experience,provenworkflows,andbestpracticesmakeusthetrustedpartner
forallaspectsofrecordsmanagement,whilemeetingorexceedingHIPAA
requirements.
WithIronMountainasyourrecordsmanagementpartner,youcanbe
comfortableknowingyourpatientinformationisprotectedandsafe—forthelife
ofyourrecords.
HIPAAPRIMeRSeRIeS
HIPAAprivacyregulationshave
beensignificantlytightened.Now,
notonlyareyourequiredtobe
compliant,butyourthird-party
partnersmustbecompliantaswell.
3
Withalltheattentionpaidtoelectronichealthrecords,
it’simportanttorememberthehugenumberofphysical
records—paperandfilm—thatarestillbeingusedin
healthcare,andwillbeforyearstocome.
Thesephysicalrecordsmustbestored,accessed,and
movedthroughouttheirlifecycleincompliancewith
HIPAAprivacyregulations,whichweresignificantly
tightenedundertheAmericanRecoveryandReinvestment
Actof2009(ARRA).What’smore,thenewHIPAArules
notonlyrequireyourhospitalorpracticetobecompliant,
butyourthird-partypartnersmustbecompliantaswell.
Keepingtrackofeveryrecordthroughoutitslifecycle,
andensuringitsprotectionisadauntingchallenge.Iron
Mountainistheproven,HIPAA-compliantpartnerthat
canhelpyoudoit.
tHe onGoinG comPLiance cHaLLenGe
WHat tHe LaW requires
TheHIPAAPrivacyRulerequiresestablishingand
implementingmeasurestoensuretheconfidentiality,
integrity,andavailabilityofallProtectedHealth
Information(PHI).
Who must comply. Healthplans,healthcare
clearinghouses,healthcareproviders(alsoknownas
“Coveredentities”),andbusinessassociatestowhom
theyprovidehealthinformation.
What it covers. PHIincludesanyinformationabout
healthcondition,treatment,orpaymentforcarethat
canberelatedtoanindividual.Thetermisabroad
oneandgenerallyincludesallinformationcontained
inapatient’smedicalrecordandpaymenthistory.
What the Penalties are. Thegovernmenthasramped
upenforcementandpenaltiesrelatedtotheprotection
ofpatientinformation.Penaltiescanreachamaximum
of$1.5millionannuallypertypeofviolation.Onthe
enforcementside,stateattorneysgeneral,inaddition
totheDepartmentofHealthandHumanServices
(HHS),havebeengivenauthoritytoprosecuteHIPAA
violations.Inthefuture,wecanexpectthefollowing:
1. AnycivilmonetarypenaltiesrecoveredbyHHSwill
beusedfortheirfutureenforcementefforts.
2. Individualsharmedbyaviolationmayreceivea
percentageofthepenalties,thusencouragingboth
patientsandauthoritiestoreportviolations.
PHYsicaL records
•
WorkingwithaHIPAAcompliant
third-partypartnerprovidesthe
resourcesandhighly-trainedpersonnel
necessarytomanageyourrecords
efficiently,cost-effectively,andin
accordancewiththeever-evolving
regulatoryrequirements.
5
Mosthealthcareproviderschooseoneormoreoutsidevendorstohelpmanage
theirpatientrecords.Outsourcinghasseveraladvantages.Itallowsyour
organizationtofocusonitscoremission.Itoffloadstheburdenofmaintaining
thespaceandmanagingtherecordstoaspecialistwhohasthesystemsand
personnelinplacetohandlethejobefficientlyandcost-effectively.And,a
recordsmanagementpartnercanprovidetheoffsitefacilitiesandphysical
protectionnecessarytodelivertrulycompliantstorageandmanagementofPHI.
consoLidatinG makes sense — onLY if Your Partner is
HiPaa comPLiant
Togetthemaximumbenefitofworkingwithathird-partypartner,manyleading
healthcareorganizationsareconsolidatingtoasinglevendortheycanpartner
withforacomprehensiverecordsmanagementsolution.
Thisstrategymakessense.Consolidationeliminatesunnecessaryvendor
expenses,promotestheconsistentapplicationofworkflowprocesses,and
strengthensthechainofcustodyassociatedwithrecordsmanagement.
However,itisessentialthatthepartneryouchoosebeabletodeliverthefull
rangeofrecordsmanagementservicesyouwillneed.What’smore,underthe
newregulations,youmustobtainsatisfactoryassurancesthatyourpartneris
HIPAAcompliant,bothintheservicestheyprovidetoyouandintheirown
internaloperations.
Onlythenwillyouhavetherecordsmanagementhelpyouneed—andthepeace
ofmindthatcomesfromworkingwithatrustedHIPAA-compliantpartner.
advantaGes of a comPLiant records manaGement Partner
WorkinG WitH an outside records manaGement vendor
IronMountainprovidesaproven,
comprehensivesolutionforcompliant
recordsmanagementthatcanbe
tailoredtofityourinstitution’s
particularneeds.Ourservicesare
builtonbest-practiceworkflows,
ensuringyourinformationisaccessible
whenyouneedit,yetfullysecure
andcompliantthroughoutevery
record’slifecycle.
7
IronMountainprovidesahighlyproven,comprehensivesolutionforcompliant
recordsmanagementtailoredtofityourinstitution’sparticularneeds.Wemanage
yourrecordsoffsiteinoneofourhighlysecurerecordcenters,usingconsistent,
auditableworkflowsandadvancedsecuritysystems.Ourbest-practiceprocesses
improveaccesstopatientinformation,strengthenchainofcustodyandincrease
regulatorycompliance.
IronMountainRecordsManagementServicesoffer:
— information management expertise. Theknowledgegainedfromyearsof
experience,thousandsofcustomers,andmillionsofrecordsinourcare.
— checks and Balances. Aprovenmethodologywithmultiplecheckstoensure
recordsaresecurelyhandledandstored.
— incontrol® for security during transit. Anadvancedtransportationsecurity
platformforensuringtheprotectionofyourrecordsatallstagesoftransit.
— Highly secure facilities. Storagefacilitiesuniquelyequippedwith
technologicallyadvancedalarmsandsensors,advancedfireprotection,and
24/7/365monitoringtoprotectyourrecords.
— ongoing Performance measurement. Continuousimprovementdrivenby
regularmonitoringofkeyperformancemetricsofourprocessesandfacilities.
Verysimply,wetakecareofyourinformationasifitwereourown.It’sonemore
reasonwhyIronMountainisthechoiceformanagingandprotectingyourrecords.
soLutions You can trust
iron mountain records manaGement services
8
incontroL: for securitY in transit
Securityisespeciallycriticalwhenrecordsareintransit.
That’swhyIronMountaindevelopedInControl,an
advancedtransportationsecurityplatformthatensures
theprotectionofinformationintransitinthreekeyways:
Prevention. Ourvehiclesareoutfittedwithinnovations
insecuritytechnology,suchasdual-keyignition,driver
proximityalarms,high-security,key-lockingmechanism,
anddoor-ajarignitionprevention.
early detection and correction. Weutilizereal-time
wirelessscanningtechnologytovalidatepickupand
deliverytransactionsandtomaintainchainofcustody.
Byutilizingwirelesscommunicationprotocols,wecan
identifyandreconcileinventorydiscrepanciesinreal
time,atthepointoforigination.
Proof. Asinformationisroutedthroughourdelivery
platform,IronMountain’sInControltechnologykeepsa
real-timeaudittrailtodocumenteachtransaction.You
havetheabilitytodesignateauthorizedcontactsfor
receivingandsendingrecords.Forfurtheraccountability,
InControlkeepsadeliveryaudittrailwithelectronic
signaturesandautomatedemailserviceconfirmation
receiptsforordersplacedviaIronMountainConnect™,
youronlinerecordsmanagementWebportal.
9
AFFIX BARCODE LABEL
DRIVER ARRIVES DRIVER SCANSFILES/CARTONS ONSITE
InControl®
ELECTRONIC SIGNATURE CAPTURED
AUTO EMAIL PICK-UP VERIFICATION
SECURE VEHICLE TRANSPORT
SCAN UPON ARRIVAL TO RECORD CENTER
OPTIONAL PREMIUM PROCESSINGImaging, Data Entry, Classification
AUTOMATED INVOICING
ENTER ORDER VIAIRON MOUNTAIN CONNECT™
SCAN POINTS & REAL-TIME TRANSMISSION OF CUSTODY
RECORDS MANAGEMENT WORKFLOW | INCOMING
Availablefor Order in
Iron MountainConnect™
Real-TimeTransmissionof Custody
SCANNED TOSTORAGE LOCATION
60YearsofexperienceIronMountainRecordsManagementServices
arebuiltuponworkflowsthathavebeen
developed,refinedandprovenfor60years.
Theseworkflowsarethekeytomakingpatient
informationaccessiblewhenyouneedit,yet
fullysecureandcompliantthroughoutevery
record’slifetime.
incominG
Ourincomingworkflowkeepsyourrecordsprotected,
fromthemomentwearrivetopickupyourmaterialsto
theirstorageinourhighlysecurefacilities.Asabest
practice,yourrecordsareindividuallyindexedfor
improvedaccessandmanagementovertime.This
records manaGement WorkfLoW | incominG
enablesustoconfirmthereceiptofeachpatientrecord
andprovidesyouwithacomprehensive,file-level
inventoryofyourrecordsatanytime.
— triple-check Workflow. Filesarescannedatevery
locationandvalidatedagainstpreviousscanstoensure
accuracy,security,andchainofcustody.
— data entry validation. Newfilesarelabeledwith
descriptiveinformationfortrackingandlaterretrieval.
Thisinformationcanbekeyedbyusorbyyouonlineinto
IronMountainConnect.
— opaque file transport Bags and Bins. Weprovide
youaccesstoopaquefiletransportbagsandbinsin
whichrecordscanbesealedtoconcealandfurther
protectPHIwhileintransit.
10
retrievaL
IronMountainmakesretrievalsimple,fastandsecure.
UsingIronMountainConnect,youcansearchandretrieve
recordsusingyourowndescriptivedata,andschedule
deliverytimes—allonline.
— retrieval Label double scan. Allfilespulledfor
retrievalaretaggedwithanadditionalretrievallabel,
andbothlabelsarescannedtoensurethatonlythe
correctfilesareactuallyretrieved.
— opaque Wrapping. Weuseopaquewrappingtomask
PHIwhentransportingmedicalrecords.Thisbestpractice
ensuresyourinformationremainsconfidentialthroughout
theoutboundingprocess.
— carton Banding. Webandeachcartonbeforetransport,
forextraprotection.
— vehicle validation. Filesarescannedduringloading,so
therightfilesareontherightvehicleforoptimum
deliverysecurityandcompliance.
SCAN POINTS & REAL-TIME TRANSMISSION OF CUSTODY
Real-Time Transmission of Custody
AUTO EMAIL CONFIRMATION
AUTOMATED INVOICING
ENTER ORDER VIAIRON MOUNTAIN
CONNECT™
RECORDS MANAGEMENT WORKFLOW | RETRIEVAL
RETRIEVAL BARCODEPRINTED
SCAN UPONDELIVERY TO CUSTOMER
ELECTRONIC SIGNATURE CAPTURED
COURIER SCANSONTO VEHICLE
VERIFICATION SCAN TO PACKAGE
InControl®
SECURE VEHICLE TRANSPORT
ENTIRE CARTON SCANNED
CARTON SECURITY BAND APPLIED
RETRIEVAL FROM STORAGE LOCATION
INDIVIDUAL FILE SCANNED
efficientLY manaGe Your records WitH
iron mountain connect
IronMountainRecordsManagementServices
includeaccesstoIronMountainConnect,aWeb-
basedinventorymanagementsystemthatprovides
yourstaffthetoolsnecessarytotransformyour
recordsmanagementprogramintoanenterprise-
widecomplianceprogram.Thesystemprovides
completevisibilityandcontrolofyourrecords
andallowsyoutorapidlysearchyourinventoryto
locaterecords.Authorizeduserscaneasilyrequest
records,runinventoryreports,defineretention
policies,andmonitordestructionprograms.
records manaGement WorkfLoW | retrievaL
— validation at customer site. AspartoftheInControl
process,driverscompleteretrievalbyscanningeachfile
atyourlocation.
11
secure destruction
essentialtoanycost-effectiveandcompliantrecords
managementprogramistherigorousandtimely
enforcementofretentionanddestructionpolicies.Iron
Mountainhelpsyoumeettheserequirementsthrough
ourSecureShreddingServices.TogetherourRecords
ManagementandSecureShreddingServicescanhelpyou
monitorthedestructioneligibilityofyourarchivedrecords
andensurethepermanentdestructionofsensitivepatient
informationattheendofitslifecycle.
— automated destruction eligibility reporting. Wehelp
yousystematicallymanagethelifecycleofyourinventory
basedonyourpersonalretentionschedule.UsingIron
MountainConnect,youcandefineretentionpoliciesand
accesskeyinformationrelatedtoyourrecordsinventory,
includingdestructioneligibilityreports.
— auditable chain of custody. InControlcapturesan
auditablechainofcustodyusingareliablebarcodeID
scanningprocess.
— secure destruction checks and Balances. Multiple
checksandbalancesensureonlytherightitemsare
destroyed.Destructiononlyproceedsaftercareful
reviewandauthorizationbyyouaswellasbyIron
Mountain.everyitemscheduledfordestructionis
scannedandmarkedwithspecialtagstoensure
accuracy.Oncepermanentlyshredded,weprovideyou
withacertificateofdestructionforverification.
— reliable shred Process. Recordsapprovedfor
destructionarecompletelydestroyedandthenall
paper-basedmaterialsarerecycledtoensureyour
informationisnonrecoverable.
Inadditiontodestroyingyourarchivedfiles,IronMountain
alsohelpsyoumeetcompliancerequirementsforthose
documentsrequiringimmediateshredding.Wecanhelp
youdesignacost-effectivedestructionprogram,leveraging
ouronsiteoroffsiteshreddingserviceoptionstomeet
yourspecificrequirements.
SECURE VEHICLETRANSPORT
RECORDS MANAGEMENT WORKFLOW | ARCHIVAL DESTRUCTION
PRINT RETRIEVAL BARCODE
PRINT FINALDESTRUCTION LISTING
OPEN AND SEND LISTIron Mountain Opens Order and Sends Preliminary Destruction
List to Customer
AUTHORIZE ORDER Destruction Order
Authorized for Operations
SHRED MATERIALS PERCUSTOMER AUTHORIZATION
AUTHORIZE RECORDSCustomer Authorizes Records to
be Destroyed and Returns Authorization to Iron Mountain
SEND CERTIFICATESend Certificate of
Destruction Within Service Invoice to Customer
PREPARE MATERIALFOR SHIPMENT
REQUEST DESTRUCTION Customer Sends Destruction
Request to Iron Mountain
RETRIEVE ITEMSSCAN ITEMS
Double-Scan Items viaSafekeeper PLUS® Barcode
records manaGement WorkfLoW | arcHivaL destruction
12
•
WithIronMountainyoucanbe
confidentyourrecordsaremanaged
inacompliantmanner,byacompany
thatisitselfHIPAAcompliant.We
constantlyupgradeourprocessesto
meetevolvingregulatoryrequirements
andbestpractices,ensuringour
solutionsareconsistent,currentand
highlysecure.
13
IronMountainhasbeencommittedtomeetingHIPAAprivacyregulationssince
thelawwasfirstenactedin1996.
WecombineadeepunderstandingoftheHIPAAruleswithourownexperienceat
leadinghealthcareinstitutionstoprovideacompliantrecordsmanagement
solution.Infact,ourbest-practiceapproachtohandlingpatientinformationoften
exceedsHIPAArequirements.Weusestringentprotocolsandproceduresto
addressthesamerequirementseveryhealthcareprovidermustfollow,makingus
anidealenterprisepartnerforhealthcareproviders.
WithIronMountain,youcanfeelconfidentthemanagementofyourrecordsis
HIPAAcompliantandthatyouareworkingwithaHIPAA-compliantbusinesspartner.
HiPaa comPLiance and BeYond
iron mountain records manaGement services
keY requirements of tHe HiPaa PrivacY ruLe
TheHIPAAPrivacyRulewasestablishedtoprotectpatientinformationfrom
beingusedordisclosedinappropriatelyorwithoutthepatient’spermission.
Toensurethis,therulerequiresCoveredentitiestodevelopadministrative
andphysicalsafeguardsregardingtheuse,disclosure,access,release,and
destructionofPHI.
Administrativesafeguardsrequireyoutodocumentproceduresfor
operationalprocessessuchasworkflows,employeetraining,reporting,
andauditing.Physicalsafeguardscovercontrolssuchaslocks,limitedaccess
tokeys,andsecuritysystems.
14
AdministrativeSafeguardsHIPAArequiresdocumentedproceduresforoperationalprocesses,suchas
training,workflow,andthereleaseofinformation,beputinplacetoensure
informationisalwayshandledaccordingtopolicy.IronMountainmeetsthis
requirement,andhelpsyoumeetit,inseveralways.
access and use. IronMountainutilizesstrictprocedurestoensureour
employeesaccessPHIonlywhennecessaryandaccordingtothedutiesrequired
tosupportyou.Wecarefullymonitoraccessprivilegesandlimitemployee
accessusingbadges,24/7/365surveillance,andothersecuritymeasures.Also,
yourinstitutioncanuseIronMountainConnecttohelpyoulimitandtrackyour
employeeaccess.
Privacy Policies and Procedures. IronMountainhasdevelopedprotocolsand
procedurescoveringthesameactivitieseveryhealthcareprovidermustfollow,
includingdedicatedsecurityresources,mandatorysafetyandsecuritypolicies,
regularaudits,andeffectiveemployeetrainingandmanagementoversight.We
alsostrictlymonitoraccesstoourbuildingsandmaintainahighlysecurechain
ofcustodyforPHIunderourcare.
release of information. IronMountainmaintainsbest-practiceproceduresfor
everyphaseofthereleaseofinformationprocess.Weuseaformalchainof
custodyprocesstoensureallrecordsareproperlyhandled.Infact,patientfiles
storedatourrecordcentersdonothavetoleaveourfacilitiesforrelease
processing.Weensurethateachreleaseofinformationrequestandauthorization
includestherequiredelementstobeHIPAAcompliant,andourstringent
performancestandardsrequireeveryreleaseofinformationassociatetoadhere
toourprivacyandconfidentialitystandards.
Workforce training and management. IronMountainboastsanexceptional
screeningandtrainingprogramforouremployees,fromrecordsmanagement
specialistsandITstafftothosewhodriveourvehicles.Forpositionsthathandle
PHI,suchasreleaseofinformationassociates,weprovideevenmoredetailed
HIPAAtraining.Wealsoperformregularreviewsofworktoensureemployee
actionscomplywithstateandfederalregulations.Ourscreeningandtraining
policiesinclude:
— Comprehensivebackgroundchecksanddrugscreeningpriortohireforall
employees.
— Regulartrainingonsecuritypoliciesandproceduresforallemployees.
— MandatoryCodeofethicstraining,enforcingappropriateinformationaccess
andhandlingprocedures,forallemployees.
— Specialsafetyandsecurityscreeningforourdestructionspecialistsand
equipmentoperators.
records manaGement
comPLiance cHeckList
HIPAAregulationsnowrequireyour
businessassociates,aswellasyour
owninstitution,tobecompliant.
IronMountainmaintainsthe
followingpoliciesandprocedures
topromotecompliance.
AdministrAtive sAfeguArds
Auditablechainofcustodyforthe
handlingofallrecordsatalltimes
Standardizedworkflowsto
ensurebestpractices
Indexing/MPIcleanupfor
bettertracking
employeescreeningand
backgroundchecks
employeetrainingforthe
appropriatehandlingofPHI
Documentedprocessesto
mitigaterisk
Multiplescans/signatureswhen
informationisshipped
Websoftwaretohelpyou
manageandtrackrecords-
relatedactivities
15
mitigation. Inordertoachieveandmaintaincompliance,youmustevaluate
thesecurityandcomplianceofyourrecordsmanagementprogramonaregular
basis.IronMountainhasateamdedicatedtomonitoringHIPAArequirements
andevaluatingourcompliance.Thisteamproactivelytrackschangestoindustry
regulationsandworkswithIronMountain’soperationspersonnelonanongoing
basistoimproveprocesses,mitigaterisks,andensurecontinuedcompliance.
audit trail. Theabilitytoauditactivitiesisanessentialcomponentofany
HIPAA-compliantrecordsmanagementprogram.AsabestpracticeIron
Mountainindividuallyindexesyourrecords.Thisenablesustoconfirmreceiptof
eachpatientrecordandprovideacomprehensiveapproachtotrackingyour
documentsthroughouttheirlifecycle.Thisinformationcanbeusedbothfor
reportingandforcontinuousimprovementinitiatives.
Wealsohelpyougenerateanaudittrailinseveralways:
— Detailedsecurityproceduresandreportingtomanageauthorizedaccess,
usingsuchtoolsasuniqueemployeeidentification,monitoringoffacilities
access,andbarcodescanningofrecordswheneverhandledormoved.
— Completechain-of-custodyaudittrailforrecordsinourpossession,
throughoutthelifeofeachrecord.
— Web-basedsoftwarewhichallowsyoutodirectlymanageandtrack
records-relatedactivities.
— Detailedaccountingofallrelease-of-informationdisclosures,includingwho
receivedtherequest,why,andtheactiontaken.
— Acertificateofdestructiontoverifyyourinformationissecurelyshredded
andnonrecoverable.
compliant destruction. Theproper,permanentdestructionofallphysicalPHI
inaccordancewithretentionpolicyrequirementsisnecessarytoreducetherisk
ofasecuritybreachandmaintaincompliance.OurSecureShreddingServices
offeryouaccesstoasuiteoftoolsdesignedtohelpyoumonitorthedestruction
eligibilityofyourrecordsandconsistentlyenforceyourretentionpolicies.We
provideafullrangeofreportingandauditingofdocumentdestructiontohelp
increasecompliancewithHIPAAandotherregulatoryrequirements.
indexinG: imProve access
to Patient information
and increase HiPaa
comPLiance
Patients’livesdependonour
abilitytofindcriticalinformation
abouttheirmedicalhistoryina
timelyfashion,whichiswhywe
individuallylistyourmedical
records.Duringtheinbounding
processaprimaryfileidentifier,
mostcommonlytherecord
numberorpatient’sname,is
captured.Wealsorecommendthe
captureofatleasttwoadditional
fileidentifierssuchaslastdateof
service,dateofbirth,orepisode
ofcare.ThisHIPAA-compliantbest
practiceenablesyoutoefficiently
trackandmanageyourrecord
inventory,andensuresyour
patientinformationremainseasily
identifiableandreadilyaccessible
16
PhysicalSafeguardsHIPAArequiresyouandyourpartnerstohavephysicalcontrols,suchaslocks,
limitedaccesstokeys,andsupervisiontoprotectrecordscontainingPHIfrom
unauthorizedphysicalaccess.
faciLitY standards
IronMountainadherestoourPrinciplesofGlobalFacilityProtection,which
mandatesomeoftheindustry’smostadvancedsystemstosafeguardyour
informationbothinsideandoutsideourbuildings,farexceedingtherequirements
ofHIPAA.OurPrinciplesofGlobalFacilityProtectioninclude:
— Alarmsandintrusiondetectionsystemstodetect,alertandrecordconditions.
— Accesscontrolsystemsatexteriorandcustomermaterialstorage
areaentrances.
— Utilizationoflicensed,authorized,third-partyuniformedsecuritypersonnel
tobolstersecurity.
— Advanceddetectionandautomaticfire-suppressionsystems.
— Centralmonitoringofprotectionsystems24/7/365.
— Useofthird-partyauditorstoensurecompliancewithsecuritystandards
throughunannounced,randomaudits.
— Internalcomplianceauditsforfacilities.
— Annuallytestedandupdatedcontinuityplanforallfacilities.
— Facilities,rackingandshelvingconfigurationscompliantwithlocaland
federalcodes.
records manaGement
comPLiance cHeckList
PHYsiCAL sAfeguArds
Cartonstrappingofpackagesfor
extraprotection
High-securityvehiclesfor
transportingrecords
High-securitystoragefacilities
withguards,monitoring,and
fire-suppressionsystems
Fully-compliantdestructionwith
multiplesign-offsandan
auditablechainofcustody
Opaquewrappingofallrecords
toconcealPHIduringtransport
17
transPortation standards
Toensuretheprotectionofinformationintransit,IronMountainutilizessecure
vehiclesequippedwithdual-keyignition,driverproximityalarms,high-security
key-lockingmechanism,anddoor-ajarignitionprevention.Wesealmedical
recordsinopaquewrappingandbandcartonspriortotransport.Throughout
theprocess,real-timewirelessscanningtechnologyisusedtocaptureelectronic
signaturesandmaintainanauditablechainofcustody.Ouradvancedvehicle
security,vehicleprocesscontrols,andauditableworkflowsprovideafoundational
defenseagainstpotentialinformationlossandpreventcommontransportation-
relatederrors.
BeyondCompliance
HIPAArequiresthatyourpartnersbe
HIPAAcompliant.Tofurthermitigate
risk,however,IronMountaingoesbeyond
compliance.Weemploybestpractices
thatwehavedevelopedanddeployedat
leadinghospitalsandotherhealthcare
institutionsaroundthecountry.This
best-practiceapproachensuresthat
allreasonablemeasuresaretakento
protectpatientinformation,toremain
ingoodstandingwiththelawandthe
public,andtopromoteapositiveand
responsibleimageinthecommunity.
evenashealthcareorganizationstransitiontoelectronichealthrecords,you
willcontinuetousephysicalrecordsforyearstocome.MaintainingHIPAA
complianceforthelifetimeofallrecords,inthefaceoftighteningregulations,
isadifficultchallenge.
WithIronMountainRecordsManagementServices,yougetasolutionthatis
proveninmanyoftheleadinghealthcareinstitutionsacrossthecountry.You
canbeconfidentyourrecordsaremanagedinacompliantmanner,bya
companythatisitselfHIPAAcompliant.Furthermore,weconstantlyupgrade
ourprocessestomeetevolvingregulatoryrequirementsandbestpractices,
ensuringoursolutionwillremaincompliant,nowandintothefuture.
TolearnmoreaboutourHIPAA-compliantRecordsManagementsolutions
contactustodayat1-800-899-IRON.
concLusion
19
aBout iron mountain.IronMountainIncorporated(NYSe:IRM)providesinformationmanagementservicesthathelporganizationslowerthecosts,risksandinefficienciesofmanagingtheirphysicalanddigitaldata.Foundedin1951,IronMountainmanagesbillionsofinformationassets,includingbackupandarchivaldata,electronicrecords,documentimaging,businessrecords,secureshredding,andmore,fororganizationsaroundtheworld.VisitthecompanyWebsiteatwww.ironmountain.comformoreinformation.
©2011IronMountainIncorporated.Allrightsreserved.IronMountain,thedesignofthemountainandInControlareregisteredtrademarksandIronMountainConnectisatrademarkofIronMountainIncorporatedintheU.S.andothercountries.Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.
US-HC-eXT-BP-102910-001
tHe HiPaa Primer
800899IRON(4766)/ironmountain.com 20
HIPAAPRIMeRSeRIeSOurHIPAAPrimerSeriesoffersyouin-depthinsightsintotheprovenbestpracticepoliciesand
proceduresIronMountainemploystoensurethatoursolutionsnotonlymeetbutexceed
HIPAArequirements.
Tolearnmoreabouthowaspecificsolutioncanhelpyouensureyourinformationremains
highlysecureyetreadilyaccessiblethroughoutitslifecycle,checkoutourotherbestpractice
guidesfromthisseries,including:
iron mountAin CLoud storAge soLutions
HIPAA-CompliantSolutionsforHealthInformationChallenges
iron mountAin dAtA ProteCtion serviCes
Proven,TrustedandHIPAA-CompliantMediaManagement
iron mountAin doCument Conversion serviCes
TheHIPAA-CompliantApproachtoeMRTransition
iron mountAin reCords mAnAgement serviCes
HIPAA-CompliantSolutionsThatKeepYouCompliant
iron mountAin reLeAse of informAtion serviCes
ComingSoon