Read All Posts »

Understanding HIPAA

by Harvey Coblin on March 19, 2014

Here at Sherpa, we’re frequently contacted by organizations looking to learn more about complying with federal regulations, such as HIPAA or Sarbanes-Oxley.hipaa

HIPAA, the Health Insurance Portability and Accountability Act, was enacted in 1996 to ensure the protection of patient privacy. Foremost, it also provides the right for patients to access their medical records, as well as preventing (in most circumstances) healthcare providers from sharing sensitive patient information without the patient’s permission. For example, while doctors may share some information with each other in order to provide improved care, insurance companies cannot share patient medical records with the patient’s employer and additionally, patients have the right to amend any medical record that they feel contains erroneous information. Furthermore, patients can specify how they can be contacted, including even whether a doctor can leave a message on a telephone answering machine; also, patients are able to specify individuals and organizations in which to deny access to their personal information.

Under HIPAA, both physicians and insurance providers are required to ensure the security and confidentiality of all patient medical data; this applies to physical security as well as the establishment of procedures and safeguards that define who has access to medical data. The law applies not only to paper documents, but to electronically stored information as well. From a broader information governance perspective, it also means establishing an awareness of what HIPAA-regulated information exists in your environment, and where, in order to properly assess risk and potential legal vulnerability. This can entail protecting data with passwords and tracking what personnel have access to patient health files. It also means monitoring what data leaves the organization, not only in paper form, but as text within email or attached files. Data stored “in the cloud” (including cloud-based email systems, such as Office 365) are subject to regulation and compliance as well.

HIPAA provides needed and (seemingly) obvious protection to the healthcare consumer; but to those individuals and organizations that provide healthcare, it necessitates an increased level of accountability in managing and protecting information.

While some industries are not as heavily regulated by laws such as HIPAA,  maintaining adequate information governance is a sound business practice for any type of organization.

Looking into Sherpa Software’s information governance solutions? Click here to get a free custom information asset evaluation today.


Recently, I’ve been investigating ARMA certification as an Information Governance Professional (IGP). Needless to say, there is a substantial amount of material outlined in the DACUM curriculum for that program, but I’ve learned that there are a series of core elements common to effective information governance programs. For the purposes of this discussion, I am defining information governance as:

“An accountability framework that encourages desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”


The ultimate goal of information governance is to recognize that information, generated by day-to-day operations of an organization, is a valuable corporate asset that must be managed and disposed of in a responsible fashion. Like most complex initiatives, creating an information governance strategy can seem overwhelming. Breaking the project down into discrete phases helps organize the effort and makes it a bit less daunting to undertake. Based on the IGP program and other resources, here are some broad project categories you can use to get started:

  • Understand & assess your business goals. Each organization has a unique set of business objectives and constraints that must be factored into their governance strategies, and the goal of this phase is to uncover those. For example, is your organization subject to specific regulatory requirements? Regulations such as HIPAA or SOX may not only impose restrictions on how information is handled, but may introduce additional risk in the form of fines or sanctions if the regulations are violated. In addition to regulations, be sure to identify key sponsors and stakeholders, outline external dependencies and consider budgetary constraints during this phase.
  • Plan & document the governance strategy. With a solid understanding of the business goals that your governance strategy must achieve, you can turn your attention toward developing a detailed plan for reaching those goals. We recommend approaching this process by creating a project plan that maps each business goal with the governance tasks required to support that goal. For example HIPAA compliance requires potentially-sensitive data to be safeguarded or encrypted, access controls be enforced, etc. Each of those requirements in turn may result in secondary project tasks such as developing RFP or RFI documents for new access control systems.
  • The steps outlined in your project plan will become the basis for the implementation phase of the initiative. During this phase, polices are drafted, approved and rolled out to the organization. In conjunction with introducing new policy controls, technology solutions may be put in place to enforce compliance. Not all policies and procedures can be fully technology-based, however, so it is also important to work with the corporate training and change management teams to make sure there is a comprehensive training program rolled out to employees. Training should stress the importance of corporate information as an asset, and responsibilities that individual employees have for protecting that asset.
  • An information governance process does not end with implementation, ongoing management of the process is a crucial element. Regulations change, business needs evolve and employee turnover will occur.  Plan to address these organizational changes by conducting periodic audits, reviews and training programs to address any gaps in the process that emerge over time.

Over the coming months we will be covering each phase of building a corporate information governance framework in more detail in our white paper series. Watch the Sherpa Software web site for more information, or join our LinkedIn group for the latest updates.

Whether you’re promoting your company’s products and services, or getting your employees to share information and collaborate, being active on social media will help you grow as a company. Employees will be more engaged, happier and more productive – I’m sure many will read that last line with skepticism, but I truly believe in it.  Social business users are typically a more engaged and productive group, but the big question remains: “How does that affect the bottom line?”


When it comes to convincing the boss, you need to tell a story.  They need to see they are getting something in return and it will ultimately make your company better.  But what does that really mean?  I tweeted a few weeks ago at the IBM Connect show about the process behind this.  Becoming a social business does not happen by magic; it takes time, it takes a plan and most importantly, it takes effort.

It’s understandable that you want the ability to measure and monitor your success – I couldn’t agree more. Without a plan, goals are really just a dream.


Here are a few pointers on getting started.

  1. Align your social goals with your business goals
  2. Define what is important to you in terms of social success (likes, shares, new followers, etc.)
  3. Understand that becoming a social business is a process, one that will take some time to incorporate

The above is just a starting point; you have to realize that being social is just a part of the bigger picture, providing you with additional touches you can’t get any other way.  Being involved in user groups and attending trade shows all help (especially when supplemented with social media promotion). Writing articles, contributing to community resources and ultimately sharing those on social media outlets all contribute to the overall success.  All of these are keys to building a following that have faith and trust in what you do. Several additional advantages that you will have as a company when you become a social business include:

  1. Intellectual capital - When you become social, ideas, thoughts and information are shared freely among multiple destinations.  What may have been contained in a one-to-one email is now available to many, and can be searched on your social network.
  2. Thought leadership - By sharing your knowledge on a particular topic, people start to recognize you as a leader in that space.
  3. Brand recognition -  Your employees connect with other people on social media, and sharing information builds credibility; with this credibility comes leadership. As you earn that trust, it’s easier to sell a product or service, because of that predefined relationship.

As you build your social business, remember that social ROI is really unlike any other part of your plan that you will measure, because it is difficult to directly correlate to the bottom line.  But the bigger question is this: ”Where would you be without social business in your plan?”

Trying to explain the purpose of eDiscovery can be a daunting task; just a few weeks ago I’d be hard-pressed to provide an adequate explanation. After working at Sherpa these past few months however, I have come to acknowledge just how important it is to an organization to have a firm grasp of eDiscovery solutions.

Put yourself, for a second, in the shoes of a frazzled employee, suddenly in charge of finding a piece of information that could save your company in a massive litigation case; you’ve got a little over a thousand mailboxes that need to be searched, and each mailbox is a few years old.  How could anyone, anywhere, deal with a task of that magnitude?


This is the core of what eDiscovery is, from the point of view of that poor person on the front lines – those awkward, frustrating initial steps where parties are required to collect all information regarding a pending case, including any potentially responsive files, conversations or incriminating emails. All this information needs to be gathered in order to lay it all before attorneys who filter it further before the data finally ends up in front of the courts.

Now, try to imagine doing that without the use of eDiscovery search, collection and review tools. The task would be impossible. The sheer man hours, wasted productivity and legal fees compounding, just trying to filter through documents, finding relevant evidence, is not the kind of position anyone ever wants to put themselves. Just thinking about it can make your skin crawl.

Understanding the process for collecting electronic information leads into a greater understanding of how the corporate world actually functions. Running a business effectively could very much be described as an exercise in records management and information governance. And if you think private litigation is bad, imagine how much the pressure suddenly mounts when it’s not just your assets on the line, but the well-being of your company as a whole, including your employees and potentially your customers. This isn’t to say that you should scramble to get your electronic assets in order and put the fear of eDiscovery in your heart – only that you should be weighing the impact such events could have on your organization.  There are real risks and costs that aren’t apparent until you encounter them for the first time.  By getting ahead of any eDiscovery challenges and putting your records in order keeps you ahead of the curve and helps you save time, stress and money if the need ever arises.


I’m often asked how I manage to keep track of all the social sites that I belong to:  Twitter, Facebook, Instagram, LinkedIn and more.  Not only do I have my own personal accounts, but I also manage several other accounts for websites, youth organizations, etc.  Keeping it all in line and staying on top of it can be a daunting task. resized_DennyRussell

I recently presented a  one-hour lunch-and-learn here at Sherpa, where I shared my experiences and showed how I manage all of my social connections, and not to mention, gather key information that helps drive my everyday life.  From free gifts, to discount coupons, to product ideas and inspiration, I’ll walk you through the steps of how to successfully use social media tools like Twitter, Facebook and LinkedIn for your own personal benefit.  I will teach you how to lurk for the purpose of finding useful information, and how to share that same information with others.

Denny sherpa software social mediaEmbedded here for your convenience are the slides I used for this presentation; give it a read. While I talked through a bunch of them, you’ll be able to pick up most of what we covered from the text and the visual aids (some fun ones!) Are there any valuable social networks I may have forgotten to mention? Sound off in the comments section!

Visit the Sherpa Software website to learn about information governance solutions to help you manage your email and data on both Microsoft Exchange and IBM Domino platforms.

With compliance and other requirements necessitating the elimination of loose PST files, companies are burdened with moving this data to a centralized repository in a timely, secure and cost-effective manner. However, PST files are often dispersed throughout an organization’s network making them difficult to manage, locate and access.

In this case study, we explore a migration for a domestic healthcare manufacturing company, who had 6,000 users and approximately 50,000 PST files. This totaled to more than 150 TBs of data that needed to be filtered and moved to an on-premises Microsoft Exchange server. In order to automate the PST migration, the organization deployed Sherpa Software’s Mail Attender for Exchange. This paper discusses the phases of this project and how to monitor the ingestion.

If you would like to learn more about Mail Attender, please click here. Or, if you would like to learn more about Sherpa Software’s professional services, click here.