HIPAA-compliant DAM for Healthcare FAQ

HIPAA is probably a term you have heard when visiting your doctor or pharmacy. It is an acronym for the “Health Insurance Portability and Accountability Act,” which was signed into law in 1996. It establishes, for the first time, a set of national standards for the protection of certain health information. Among other things, it calls for privacy standards for individually identifiable health information. This portion of HIPAA defines how personal health information may be used by “covered entities (any health care provider who transmits any health information in electronic form or their business associates).”

A major goal of HIPAA is to assure that an individuals’ health information is protected, while allowing the flow of needed information to promote high quality health care.
In a practical sense, you may have to sign documents that you have read and then acknowledge that you understood the healthcare providers privacy policies. Or it may be that you are prevented from standing near the counter where others are being helped, so as to not overhear the conversation between a customer and the pharmacist.

What does this have to do with Digital Asset Management (DAM)? If you are in a health care field this may already be self-evident. If you are not in a health care field, there may be good reasons why this could apply to your DAM endeavors.

A Digital Asset Management solution can help organizations manage photography, branded assets and other items in a centralized way to assist with collaborative efforts. A DAM allows for content to be managed (for rights for example), or shared with other business units. Content managed in a DAM may have incidental patient health information, in either the metadata, or implied by content in the photograph (think an “Oncology” sign behind a patient talking to a health care provider).

HIPAA requires that in order to provide a system that complies with it’s requirements, the confidentiality of patients are protected, the integrity of the stored information is maintained and that the availability upon demand to authorized persons is ensured. These three properties underlie the privacy and security of protected health information.

Availability—data is accessible and useable by an authorized person on demand Confidentiality—data is not disclosed to unauthorized person (or processes) Integrity—data has not been altered or destroyed in an unauthorized manner Since a digital asset management system may include incidental protected health information (iPHI) it is important for the owner of the assets in a DAM solution (like Merlin) protect those assets and the associated iPHI.

Merlin does this through administrative processes, physical safeguards and technical controls.
HIPAA has both a Privacy Rule and a Security Rule component.

The Privacy Rule sets the standards for who may access PHI. The Security Rule sets the standards for enforcing the privacy standard, ensuring that only those who should have access to PHI.

Merlin Compliance safeguards content by providing:

  • A segregated hardware environment. Each customer has their own DAM instance. All Merlin sites are single tenant!
  • Appropriate use of Active Directory to manage users (even MerlinOne customer service staff)
  • Internal training and procedures
  • Designated Security Official
  • Enforcement of basic security safeguards
  • Password Policies enforced
  • Incident Management

For organizations that might need to manage iPHI, compliance with HIPAA requirements should be obvious.

For organizations that are not covered by HIPAA, a HIPAA compliant DAM solution may provide an extra layer of protection and peace of mind, knowing that your assets and metadata are secured with extra safeguards.

To read about HIPAA requirements, visit the Health & Human Services website: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

Download this whitepaper