Document management isn’t just about software—it’s about process and strategy. It may start with software, but it encompasses corporate policies, procedures, and processes, and a successful implementation requires a carefully thought out plan of attack. After all, the software itself is of little use unless you have a strategic plan for what you want to accomplish with it.
A surprising number of companies are subject to legislation dictating how and where documents are stored and for how long. To examine compliance issues, we’re going to look at HIPAA (the Health Insurance Portability and Accountability Act), which governs how any documents relating to patient privacy are treated and accessed. Companies that are directly under HIPAA mandates must comply, and it is incumbent on companies that are indirectly impacted to comply as well — that is, any contractor or supplier dealing with an HIPAA subject must also be HIPAA-compliant.
Given that government compliance can be imperative for even those peripherally involved, when strategizing for compliance it’s important to determine who must comply. If you are a hospital or pharmacy, you are obviously under HIPAA jurisdiction. But you must also determine whether your suppliers, partners, and outsourcers must also be in compliance. This will have a major impact on your document management strategy, especially in terms of third party access.
One of the biggest benefits of a document management system is that it improves workflow and simplifies document creation and sharing — but much of this simplification comes from easier access, which must be offset with tighter controls that ensure compliance with all necessary regulations. Strategy for document management in relation to compliance starts with evaluating who has access and then imposing regulations on that access as well as an audit trail.
A document management system imposes order on huge numbers of documents in multiple formats, both structured and unstructured. A retention strategy is necessary and must start with an evaluation by the legal department. In most cases, when a discovery is ordered it is incumbent upon the party in question to not only provide the requested documents, but to also provide an audit trail, evidence of a retention policy, and evidence that the policy has been uniformly enforced. A document provided by a company with no retention policy and no audit trail is of little value in a court of law. By the same token, if an incriminatory document has been destroyed, but the destruction was in complete compliance with a long-standing retention policy, then the company is not liable.
A retention strategy must determine – in writing — what is to be saved, for how long, and where. Records of access must be kept as an audit trail, and deletion of documents must be absolutely uniform. If exceptions are anticipated, there must be a written policy describing them, in order to protect the company from legal liability.
The process can start with the creation of a “records compliance task force” to outline a written policy and establish an audit trail. The archiving procedure needs to be reviewed from time to time and tested, as well, to ensure that electronic back-ups are being performed adequately and that data integrity is preserved.
The creation of content — especially in a corporate environment where the business is subject to regulations like HIPAA or Sarbanes-Oxley — must be done with caution and with standardized procedures. Most importantly, it must be recognized that the creation of electronic content is often a joint effort, and document management facilitates this process with new tools. At the most basic level, a private wiki allows multiple people to share in the creation; more formal document management software systems will allow for this interaction while imposing rules and regulations, access control, and retention of multiple versions of the document.
A solid content creation strategy will allow one person to “own” the document, while allowing others to access, revise, and edit the document based on their role and subject to the document owner’s oversight. The strategy allows the document to be locked from further editing once it has been determined that it is complete, and then, it allows for the document to be routed to all major stakeholders for an approval process.