Ineffective wireless encryption

Taped-over door lock on data room

Inadequate passwords

Computers without adequate log-off

Disabled audit logging

Unencrypted email and laptops

Former employees with inappropriate network access

These vulnerabilities and more (a total of 151) were found at seven large hospitals during a round of audits by the Department of Health & Human Services. Although these vivid examples point to hospital systems, HIPAA applies also to many other types of covered entities and business associates including, of course, physician practices. These non-hospital providers are most likely even more vulnerable to such lapses as they are less likely to have dedicated information technology staff, legal departments, and formalized record-keeping practices.

Good information management practices should apply not only to EHRs, but also to everyday record-keeping, backup, and maintenance of email systems, Microsoft Office files, and financial accounting systems. Here are seven steps to help improve your routine information management practices:

Step 1 – Gather Support for Improved Information Management

Better information management can improve financial performance, mitigate risk, and help achieve the compliance requirements of HIPAA and HITECH. It also helps minimize the likelihood of a data breach, by requiring organizations to identify where protected information is stored and to develop appropriate controls. Point out these benefits to help gain management support for an information management initiative.

Step 2 – Bring Your Retention Schedule Up-to-Date

A practice’s retention schedule identifies specific periods of time for which records must be retained.  The schedule is based upon “buckets” of records that have similar uses or characteristics, and reflects both legally-required retention periods and retention required by business needs. Developing a legally validated records retention schedule involves research of state and federal laws, statutes, and regulations, and is based on a records inventory and data map. Once drafted, it should be updated at least every two years to reflect changes, or as events dictate.

Step 3 – Ensure Your Information Management Policy is Comprehensive, Yet Practical

An information management policy should contain a general statement of responsibility for adhering to standards of conduct and business practices regarding how records are created, used, maintained, and disposed. It should also address policy rules regarding: the scope of information governed under the policy; responsibilities, ownership and management of records; rules for compliant disposal; and the impact of legal holds on record retention.

Step 4 – Develop and Document Information Management Processes 

Processes that facilitate retention schedule implementation may range from workflows to ensure HIPAA-compliant and secure transmission and storage of PHI and ePHI, to a legal hold process designed to identify and preserve information required by an investigation or litigation. Other processes might include: well-defined disaster recovery plans that minimize the duplication and retention of information; a periodic clean-up program; a data breach readiness plan; internal audits of access control; and plans for collection and disposition of information used or managed by former employees.

Step 5 – Consider How Data Privacy and Security Will be Managed

Some information will be classified as PHI or PII, and efforts must be made to identify, segregate, and protect it. Encryption can help a lot here, but it is not a panacea. Work with your IT personnel to ensure that all potential locations for protected information are found, including email, network storage, laptops, and other mobile devices, and then ensure that appropriate controls are in place.

Step 6 – Train Everyone!

Even the most earnest and compliant of employees—including, especially, professional staff and management—can’t do what they don’t know. Training is key, not only to ensure day-to-day compliance, but also to help fend off data breaches.

Step 7 – Get Started with Practical and Focused Tasks

Here are some focused actions to move your practice toward better information management:

  • Document and enforce email etiquette and retention.
  • Adjust information backup practices to function simply as a disaster recovery mechanism, not a long-term archive from which years-old data may be recovered.
  • Develop an archive program that only saves record-worthy information in such a way that it may be easily disposed when the retention period expires (absent a legal hold).
  • Clarify who “owns” and manages different types of records.
  • Prepare a checklist for periodic self-audits of internal information management systems
  • Engage technical, legal, and information management professionals to interpret and apply legal requirements to your specific circumstance.
  • Initiate an annual records “cleanup” day.


Implementing a records retention schedule this year will help get medical practices on the right track to better information management by defining what to keep and what to dispose. To use a well-worn idiom, there’s no time like the present to get started on health information management initiatives.  The problem will not get smaller, and data is poised to double every two years from 4.4 trillion gigabytes in 2013 to 44 trillion by 2020.