Should we pay thousands of dollars to ensure that our computer system records the identity of every person who scans a document?

Our compliance officer says that the system's failure to record the identity of those who scan subsequent documents is a violation of HIPAA because that information is protected health information, and we need to track who sees it. What's more, fixing this problem will cost thousands of dollars.

My question is: Is this really a HIPAA violation? Should we shell the money needed to fix this problem? Secondly, why can't we just add the record or scanned document manually? After it is added, anybody accessing the record is electronically captured for auditing purposes.

A. The recurrent theme throughout the HIPAA regulations is that the "right" implementation of administrative and technical safeguards are those appropriate, reasonable methods that meet the specific needs of your organization. One size does NOT fit all, and section 164.306(b)(2) clearly states that the following four tenets are to be considered when formulating your security plan:

(i) The size, complexity, and capabilities of the covered entity

(ii) The covered entity's technical infrastructure, capabilities. hardware, and software security

(iii) The costs of security measures

(iv) The probability and criticality of potential risks to EPHI

This particular issue could be impacted by an organization's interpretation of several of the security standards - security management process (164.308(a)(1)(ii)(A) risk analysis,(B) risk management,(D) information system Activity Review)), information access management (164.308(a)(4)), access controls (164.312(a)(1)), audit controls (164.312(b)), and/or integrity (164.312(c)(1)).

Ultimately, an organization's risk analysis and management strategies are what drive their approach to implementation of the standards. Hospital leadership needs to evaluate the risk involved in not capturing the identity of the individual scanning additional documents onto the patient record. Some questions to consider may be:

• What members of your workforce have access to the scanning function?
• Can the individuals scanning additional documents in later imaging sessions delete images as well  How is this tracked in the system?
• Can the individuals scanning additional documents review other previously-entered PHI during the same session  If so, is it audited under their own unique user ID?
• What are the potential dangers to your organization if you are not able to identify who scanned the document?

Responding to the security regulations does NOT require extravagant procedures or expensive technical solutions. In this case, addressing the issue may be as simple as having the individual scanning the consent form use a rubber stamp they initial and date in the bottom corner of the document prior to scanning it into the system to capture their identity. The organization could write a brief policy and procedure to address this specific practice (including a signature key for document scanning staff and a question and answer process to ensure the procedure is followed). This provides for a reasonable attempt to address the administrative safeguard until your imaging system vendor addresses the issue in a future upgrade.

As far as the vendor is concerned, it is advised that the organization keep all documentation from the vendor regarding the issue (including any correspondence and programming quotes related to changing the audit trail) with their HIPAA policies and procedures. In addition, they should continue to work with the vendor, other clients of the vendor, and any vendor user groups in order to keep the issue on the table for eventual resolution.

Editor's note: This answer was provided by Elizabeth Stewart, RHIA, CHAM, vice president and managing partner of The Stewart Group, LLC in Akron, OH.