Here at Sherpa, we’re frequently contacted by organizations looking to learn more about complying with federal regulations, such as HIPAA or Sarbanes-Oxley.
HIPAA, the Health Insurance Portability and Accountability Act, was enacted in 1996 to ensure the protection of patient privacy. Foremost, it also provides the right for patients to access their medical records, as well as preventing (in most circumstances) healthcare providers from sharing sensitive patient information without the patient’s permission. For example, while doctors may share some information with each other in order to provide improved care, insurance companies cannot share patient medical records with the patient’s employer and additionally, patients have the right to amend any medical record that they feel contains erroneous information. Furthermore, patients can specify how they can be contacted, including even whether a doctor can leave a message on a telephone answering machine; also, patients are able to specify individuals and organizations in which to deny access to their personal information.
Under HIPAA, both physicians and insurance providers are required to ensure the security and confidentiality of all patient medical data; this applies to physical security as well as the establishment of procedures and safeguards that define who has access to medical data. The law applies not only to paper documents, but to electronically stored information as well. From a broader information governance perspective, it also means establishing an awareness of what HIPAA-regulated information exists in your environment, and where, in order to properly assess risk and potential legal vulnerability. This can entail protecting data with passwords and tracking what personnel have access to patient health files. It also means monitoring what data leaves the organization, not only in paper form, but as text within email or attached files. Data stored “in the cloud” (including cloud-based email systems, such as Office 365) are subject to regulation and compliance as well.
HIPAA provides needed and (seemingly) obvious protection to the healthcare consumer; but to those individuals and organizations that provide healthcare, it necessitates an increased level of accountability in managing and protecting information.
While some industries are not as heavily regulated by laws such as HIPAA, maintaining adequate information governance is a sound business practice for any type of organization.
Looking into Sherpa Software’s information governance solutions? Click here to get a free custom information asset evaluation today.
Recently, I’ve been investigating ARMA certification as an Information Governance Professional (IGP). Needless to say, there is a substantial amount of material outlined in the DACUM curriculum for that program, but I’ve learned that there are a series of core elements common to effective information governance programs. For the purposes of this discussion, I am defining information governance as:
“An accountability framework that encourages desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
The ultimate goal of information governance is to recognize that information, generated by day-to-day operations of an organization, is a valuable corporate asset that must be managed and disposed of in a responsible fashion. Like most complex initiatives, creating an information governance strategy can seem overwhelming. Breaking the project down into discrete phases helps organize the effort and makes it a bit less daunting to undertake. Based on the IGP program and other resources, here are some broad project categories you can use to get started:
- Understand & assess your business goals. Each organization has a unique set of business objectives and constraints that must be factored into their governance strategies, and the goal of this phase is to uncover those. For example, is your organization subject to specific regulatory requirements? Regulations such as HIPAA or SOX may not only impose restrictions on how information is handled, but may introduce additional risk in the form of fines or sanctions if the regulations are violated. In addition to regulations, be sure to identify key sponsors and stakeholders, outline external dependencies and consider budgetary constraints during this phase.
- Plan & document the governance strategy. With a solid understanding of the business goals that your governance strategy must achieve, you can turn your attention toward developing a detailed plan for reaching those goals. We recommend approaching this process by creating a project plan that maps each business goal with the governance tasks required to support that goal. For example HIPAA compliance requires potentially-sensitive data to be safeguarded or encrypted, access controls be enforced, etc. Each of those requirements in turn may result in secondary project tasks such as developing RFP or RFI documents for new access control systems.
- The steps outlined in your project plan will become the basis for the implementation phase of the initiative. During this phase, polices are drafted, approved and rolled out to the organization. In conjunction with introducing new policy controls, technology solutions may be put in place to enforce compliance. Not all policies and procedures can be fully technology-based, however, so it is also important to work with the corporate training and change management teams to make sure there is a comprehensive training program rolled out to employees. Training should stress the importance of corporate information as an asset, and responsibilities that individual employees have for protecting that asset.
- An information governance process does not end with implementation, ongoing management of the process is a crucial element. Regulations change, business needs evolve and employee turnover will occur. Plan to address these organizational changes by conducting periodic audits, reviews and training programs to address any gaps in the process that emerge over time.
Over the coming months we will be covering each phase of building a corporate information governance framework in more detail in our white paper series. Watch the Sherpa Software web site for more information, or join our LinkedIn group for the latest updates.
Trying to explain the purpose of eDiscovery can be a daunting task; just a few weeks ago I’d be hard-pressed to provide an adequate explanation. After working at Sherpa these past few months however, I have come to acknowledge just how important it is to an organization to have a firm grasp of eDiscovery solutions.
Put yourself, for a second, in the shoes of a frazzled employee, suddenly in charge of finding a piece of information that could save your company in a massive litigation case; you’ve got a little over a thousand mailboxes that need to be searched, and each mailbox is a few years old. How could anyone, anywhere, deal with a task of that magnitude?
This is the core of what eDiscovery is, from the point of view of that poor person on the front lines – those awkward, frustrating initial steps where parties are required to collect all information regarding a pending case, including any potentially responsive files, conversations or incriminating emails. All this information needs to be gathered in order to lay it all before attorneys who filter it further before the data finally ends up in front of the courts.
Now, try to imagine doing that without the use of eDiscovery search, collection and review tools. The task would be impossible. The sheer man hours, wasted productivity and legal fees compounding, just trying to filter through documents, finding relevant evidence, is not the kind of position anyone ever wants to put themselves. Just thinking about it can make your skin crawl.
Understanding the process for collecting electronic information leads into a greater understanding of how the corporate world actually functions. Running a business effectively could very much be described as an exercise in records management and information governance. And if you think private litigation is bad, imagine how much the pressure suddenly mounts when it’s not just your assets on the line, but the well-being of your company as a whole, including your employees and potentially your customers. This isn’t to say that you should scramble to get your electronic assets in order and put the fear of eDiscovery in your heart – only that you should be weighing the impact such events could have on your organization. There are real risks and costs that aren’t apparent until you encounter them for the first time. By getting ahead of any eDiscovery challenges and putting your records in order keeps you ahead of the curve and helps you save time, stress and money if the need ever arises.
With compliance and other requirements necessitating the elimination of loose PST files, companies are burdened with moving this data to a centralized repository in a timely, secure and cost-effective manner. However, PST files are often dispersed throughout an organization’s network making them difficult to manage, locate and access.
In this case study, we explore a migration for a domestic healthcare manufacturing company, who had 6,000 users and approximately 50,000 PST files. This totaled to more than 150 TBs of data that needed to be filtered and moved to an on-premises Microsoft Exchange server. In order to automate the PST migration, the organization deployed Sherpa Software’s Mail Attender for Exchange. This paper discusses the phases of this project and how to monitor the ingestion.
If you would like to learn more about Mail Attender, please click here. Or, if you would like to learn more about Sherpa Software’s professional services, click here.