In a highly competitive market, the quality of customer service is a critical factor that determines the financial services’ success in capturing market share and growing revenues. Financial documents must be managed efficiently and accurately, and quickly made available to facilitate timely customer service. Any delays caused by lost or unavailable records can result in serious customer dissatisfaction and could result in lost future business.
The typical office can handle roughly 150 to 300 trade confirmations, tax forms, client financial statements, and wealth management documents a day with a total volume of 300 to 500 pages. Financial Services companies are required to keep their financial documents for seven years to comply with SEC and NASD regulations, such as SEC Rule 17a-4. Maintaining records for several years is a costly and time-consuming process. Filing, storing, and retrieving huge volumes of paper documents consumes significant human resources and increases overall labor costs.
The laborious process of sifting through large volumes of paper to retrieve information can take several minutes or even longer – in many cases while a customer waits impatiently on the phone. Often, these situations require a return phone call, which results in the inevitable “phone tag” so that the customer inquiry goes unfulfilled for hours, or even days. For agents and brokers, fast information access is fundamental to offering responsive customer service, a capability that will differentiate them from competitors.
Stop the Paper Madness! Put an end to the paper with a document management solution. Document management gives you the ability to work a file faster than if you had the actual paper in your hand. When a call comes in users will have the file right in front of them instantly rather than wasting time looking them up or searching through file cabinets. Customer service will increase, the staff’s time will be made more efficient, and paper costs will be at a minimum.
The ability to retrieve trade confirmations, financial plans, or other documents pertaining to a customer within seconds, thus eliminating the need to place customers on hold or call the customer back is a major step forward for the office. The immediate printing, faxing and emailing of any document at any time completes a change in expectations for customer service efficiency from both the agency’s and the customer’s perspective.
Document management also offers an efficient process for sorting, filing, and retrieving records in literally seconds, allowing personnel to:
Eliminate File Cabinets and Paper Files. Document management allows an agency to eliminate the creation and retrieval of paper files. All paper files can be stored electronically on removable disks with capacities starting at over 85,000 typical pages per disk (a typical file drawer holds approximately 2,000+ pages), therefore reducing the demand for physical space. The time and space savings will be quite remarkable when evaluating the cost and benefits of implementing a document management solution.
Some people may be under the mistaken impression that HIPAA compliance can be solved solely with technology. On the contrary, HIPAA compliance is primarily an organizational issue, over 70% of it being operational in nature. This means that in order to be compliant, the entire organization needs to be HIPAA compliant. Technology can help an organization get there, but it is only a small part of the solution. In fact it is impossible for any technology vendor to claim that their product is HIPAA compliant. The best a technology vendor can do is to design their products to make it easier for the customer to achieve HIPAA compliance.
The issue of HIPAA is something that has been troubling industries for several years now. Companies know that there is this new set of regulations that they need to adhere to, but there is much confusion about the specifics of these regulations. As a result many organizations don’t know what they need to do, if anything, to achieve compliance. This whitepaper will attempt to answer questions that you might have about HIPAA and how it relates to document imaging.
The Health Insurance and Portability Act of 1996 (HIPAA) was passed as federal law on August 21, 1996. It contained the following general objectives:
- Guarantee health insurance portability
- Reduce healthcare fraud and abuse
- Guarantee the security and privacy of health information
- Introduce standards for the administration of health information to increase the efficiency of health care organizations
HIPAA was originally created primarily to make it easier for employees to move from one job to another without fear of losing health coverage. Most of HIPAA revolves around these considerations, however many other provisions were added to the law that deal with the other three areas listed above.
Although the law was passed several years ago, as of this writing, not all of its rules have been finalized. Since the law is not yet complete, organizations have some time to get up to speed with the new regulations. Additionally, the law will not be enforced until two years after all the rules have been written and finalized. This is important for the obvious reason that it is impossible to be in compliance with a law that has not yet been fully defined. With this in mind, we can discuss what we do know about HIPAA.
HIPAA contains a large subset of rules called “Administrative Simplification.” It is in here that we find the rules that are applicable to our needs. The rules are defined in three separate sections:
- Standards for Electronic Transactions
- Standards for Privacy of Individually Identifiable Health Information
- Security and Electronic Signature Standards
Of these rules, the first two have been finalized but do not really affect us, as they apply mostly to procedural issues surrounding health care organizations. The third rule is of the most interest to us, but has been languishing since 1998 and has not been finalized. As a result, the best information we have is from the proposed rule as published in the Federal Register on August 12, 1998. Details on these regulations can be found at http://aspe.hhs.gov/admnsimp/
Specifics of Security Standard (not yet finalized)
The following tables contain the items that are required for compliance with HIPAA. Items of interest to document imaging applications are in bold.
|ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY|
|Chain of trust partner agreement|
|Contingency plan (all listed implementation features must be implemented).||Applications and data criticality analysis. Data backup plan. Disaster recovery plan. Emergency mode operation plan. Testing and revision.|
|Formal mechanism for processing records.|
|Information access control (all listed implementation features must be implemented).||Access authorization. Access establishment. Access modification.|
|Personnel security (all listed implementation features must be implemented).||Assure supervision of maintenance personnel by authorized, knowledgeable person. Maintenance of record of access authorizations. Operating, and in some cases, maintenance personnel have proper access authorization. Personnel clearance procedure. Personnel security policy/procedure. System users, including maintenance personnel, trained in security.|
|Security configuration mgmt. (all listed implementation features must be implemented).||Documentation. Hardware/software installation & maintenance review and testing for security features. Inventory. Security Testing. Virus checking.|
|Security incident procedures||Report procedures.Response procedures.|
|Security management process||Risk analysis.Risk management.Sanction policy.Security policy.|
|Termination procedures||Combination locks changed.Removal from access lists. Removal of user account(s). Turn in keys, token or cards that allow access.|
|Training||Awareness training for all personnel (including management).Periodic security reminders.User education concerning virus protection. User education in importance of monitoring log in success/failure, and how to report discrepancies.User education in password management.|
|PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY|
|Assigned security responsibility|
|Media controls (all listed implementation features must be implemented).||Access control. Accountability (tracking mechanism). Data backup. Data storage. Disposal.|
|Physical access controls (limited access) (all listed implementation features must be implemented).||Disaster recovery. Emergency mode operation. Equipment control (into and out of site). Facility security plan. Procedures for verifying access authorizations prior to physical access. Maintenance records. Need‐to‐know procedures for personnel access. Sign‐in for visitors and escort, if appropriate. Testing and revision.|
|Policy/guideline on work station use|
|Secure work station location|
|Security awareness training|
|TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY|
|Access control (The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context‐based access, Role‐based access, and User‐based access. The use of Encryption is optional).||Context‐based access. Encryption. Procedure for emergency access. Role‐based access. User‐based access.|
|Authorization control (At least one of the listed implementation features must be implemented).||Role‐based access. User‐based access.|
|Entity authentication (The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented).||Automatic logoff. Biometric. Password. PIN. Telephone call back. Token. Unique user identification.|
|TECHNICAL SECURITY MECHANISMS TO GUARD AGAINST UNAUTHORIZED ACCESS TO DATA THAT IS TRANSMITTED OVER A COMMUNICATIONS NETWORK|
|Communications/network controls (If communications or networking is employed, the following implementation features must be implemented: Integrity controls, Message authentication. In addition, one of the following implementation features must be implemented: Access controls, Encryption. In addition, if using a network, the following four implementation features must be implemented: Alarm, Audit trail, Entity authentication, Event reporting).||Access controls. Alarm. Audit trail. Encryption. Entity authentication. Event reporting. Integrity controls. Message authentication.|
|Digital signature (If digital signature is employed, the following three implementation features must be implemented: Message integrity, Non‐repudiation, User authentication. Other implementation features are optional.)||Ability to add attributes. Continuity of signature capability. Countersignatures. Independent verifiability. Interoperability. Message integrity. Multiple Signatures. Non‐repudiation. Transportability. User authentication.|
Understanding HIPAA can be a daunting task. This is largely because of the complexity of the legislation. Fortunately for a document imaging vendor, the majority of the effort in achieving and maintaining HIPAA compliance is administrative in nature for an organization that maintains health information. The technology used to store the health information is only a small part of the whole HIPAA equation.
Some organizations that need to be HIPAA compliant will appoint people within their organization to be in charge of the privacy and security aspects of the HIPAA regulations. These people will become intimately familiar with all the rules (once they are final,) and will be the ones responsible for ensuring that their organization is compliant.
Other organizations will opt to outsource these positions. There are already several companies offering HIPAA analysis and auditing services. Whatever route these organizations take, they can be sure that PIF Technologies will be helping them on their quest for HIPAA compliance.