It’s unlikely anyone’s going to make a movie about the exciting on-the-job acts of a professional record keeper, but the fact remains that keeping records of what happened in an easy-to-parse format is essential (and, in fact, required by law) in many industries. Here are some examples.
HIPAA – Proving Compliance for Breaches and Audits
Given the significant fines associated with failure to protect private patient information under HIPAA, it’s easy to see why data security is the focus of everyone’s attention. However, protecting yourself from HIPAA breach costs isn’t just about building strong defenses, it’s also about documentation.
“When we work with clients, we find that many of you have policies in place, policy books, notebooks, policies on websites, and on internal portals that your employees can get to.
Then we look for documented procedures and just put the word “written” in front of each one of these things: written policies, written procedures, and written evidence. We find that a lot of organizations had policies, but they don’t have any documented procedures. They tell us what they do, but there’s no way to provide documentation on that. Documentation is critical whenever you’re being audited or investigated.
You have to have evidence that proves that you’re actually doing the things.”
— Mike Semel
President & Chief Compliance Officer, Semel Consulting
Because part of breach response and auditing for HIPAA is being able to prove who accessed what, when, your organization should be tracking all activity surrounding private information, including all legitimate use. It’s also important to remember that inappropriate access (“snooping”) by a staff member is still a breach under HIPAA, despite the fact that they’re not an outside aggressor.
In the event that you do have a breach, HIPAA has extensive reporting requirements, requiring you to not only tell the government, but also each patient effected, exactly what was leaked and when. The easier it is to do that, the cheaper your breach response will be.
FERPA – Tracking Who Asked for Records & What They Got
FERPA, the privacy law governing the protection of American students’ school records, is in many ways less restrictive than HIPAA, but for the education industry it’s still an essential consideration. Access to student records is limited to parents, students, and employees or volunteers with a legitimate educational interest.
When outside bodies (including parents, once a student has turned 18 or attended a postsecondary school) request access to that information, the organization should record their response and what records (if any) were sent.
SOX – Fraud Prevention & Discovery Through Careful Reporting
The Sarbanes-Oxley Act (SOX) attempts to combat corruption and crimes in the financial sector through requiring a high level of transparency and accountability.
Despite its focus on preventing financial crimes, SOX does not only apply to finance businesses. It is something that corporations’ finance/accounting offices must be aware of and adhere to regardless of the company’s business model.
Record keeping and documentation of changes to financial information are essential to SOX compliance, with corporations being required to save all business records, including electronic records and messages, for at least five years.
Build an Automatically-Generated Audit Trail into Your Communications
You’re already sending documentation back and forth, and if you’re in the above industries (along with many others), you need to be doing it securely. Using secure communications solutions that automatically generate an audit trail not only saves staff time and money, it can help protect your organization from punitive regulatory action.
As Mike Semel says above, doing everything right may not protect you if you can’t prove it.
XMedius offers two industry-leading solutions that check both boxes. XM Fax is an enterprise-grade Fax over IP (FoIP) service that automatically records transmission data, including delivery confirmation. Retention options allow you to store or delete documents separately from records, allowing for zero retention when required by policy or law.
XM SendSecure is a cutting-edge secure file exchange platform that combines excellent security with intuitive design. It’s as easy as sending an email, but offers a host of features, including keeping extensive records of all interactions, that can improve business processes.
Learn more about what these solutions can make your organization better protected and more efficient: