Important DMS Features for Complying With HIPAA

Posted on January 25, 2022

Healthcare and insurance providers are constantly asking themselves these two questions: How do I improve the quality of care that we provide to patients, and how do we do it more profitably? One of the most common solutions to this question is deploying a document management system. This centralizes all patient information into a single system, where stakeholders can easily find the records they need to get the job done. It also opens the door to automating all kinds of clerical processes, reducing mistakes that can have catastrophic consequences and providing much needed care faster.

However, healthcare and insurance providers can’t just deploy any old DMS. They’re going to need a solution that can stand up to HIPAA, which sets standards for how patient information is stored and shared.

User Authentication

Perhaps the most important component of complying with HIPAA, your document management system should have a mechanism that authenticates the person who wants to access the system. This can be a username/password, PIN, HID badge, biometrics, or even facial recognition technology. The point is, you need some unique identifier to ensure the person who wants to access the system is someone who has permission to do so. In the same way that bank vault codes prevent just anyone from having free reign to all valuables stored in the vault, user authentication keeps unauthorized personnel from rummaging through your document management system.

Access Control

If user authentication prevents unauthorized users from accessing the system, access control prevents authorized users from seeing documents that they shouldn’t be able to see. For example, your accounting team doesn’t need to see the test results of a given patient—just the information that’s relevant to billing that patient. Access control also limits which actions a specific user can take within the system. For example, some users might be able to read a document, but not be able to append it or share it.

Another important component of access control is ensuring that users are logged out when they’re done using the system. While you can rely on humans to follow the rules most of the time, they are human—they forget and they make mistakes. As a safeguard, your document management systems should automatically log out users after a specified period of time. That way, when someone accidentally forgets to log out, the document management system will do it for them, preventing someone else from using another person’s privileges within the DMS.


HIPAA requires that all digital documents are stored and transmitted—in and over public or private networks—and encrypted. This ensures that, even if a document is stolen while at rest or in transit, that the contents therein are unable to be read. We recommend using 256-bit encryption, the highest standard available today.

Audit Trails and Reporting

Aside from preventing unauthorized access and protecting personally identifiable information, you’ll want to keep track of who is doing what, and when they’re doing it. You’re also going to want a way to create reports that show you’re complying with HIPAA, and to be able to take corrective actions thereafter. While this isn’t going to prevent undesirable outcomes, it’s going to make life easier for compliance officers and investigators who need to make sense of what’s happening in your organization.

Physical Security and Backup & Disaster Recovery

Although your DMS exists in the digital realm, there are still physical components that need to be considered, like the server it’s hosted on, and the building where that server lives. Should you host the DMS on your own, you’ll need secure, controlled access to those servers, and video surveillance in and around the areas where your server lives. You’ll also need to ensure maximum uptime, which means having backup power supplies in the event of a blackout, and housing it in an environment with fire suppression systems.

Healthcare providers are a prime target for ransomware gangs, because of how important that data is to their operations. When the NHS was hit by the WannaCry virus, the entire system came to a standstill. But with something like healthcare, time is of the essence. It’s one thing when you cannot fulfill your order of widgets because you’re locked out of your DMS. It’s another when you cannot perform lifesaving surgery. This urgency, hackers think, will convert into a higher percentage of ransoms paid. But if you can recover your ransomed data without paying, and probably just as fast as if you recovered the data by paying for a key, the bad guys don’t win.

At the same time, healthcare and insurance providers are also as likely to suffer a natural disaster (like a fire or flooding) as anyone else. Therefore, it’s very important that all that data is backed up somewhere offsite. That way, should disaster strike—naturally or due to hackers—that data can be recovered as soon as possible. The alternative would be losing that data permanently.

This makes working with a cloud document management service provider so attractive. Odds are, they have more resources and expertise to secure and back up your environment—digitally and physically—than you do.

Contact Centric Business Systems today

Want to learn more about how Centric Business Systems can help your organization begin the transition to a paperless environment? Contact our experts today. Whether you require upgraded equipment or an in-depth analysis of your workflow, we have the expertise needed to maximize your systems and help you make the most of our technology. Give us a call at 877-902-3301, send us an email at, or fill out our contact form to learn more about how we can help your organization run better.

Please follow us on Facebook, LinkedIn, and Google+.