Managing the Complexities of Enterprise Platforms
By Deborah Kohn
During August 2013, a Mr. HIStalk post reported the storing of patient (protected) health information (PHI) using consumer-grade services (a.k.a., enterprise platforms) that are cloud-based rather than on-premise-based. Disturbed by the post’s report, Mr. HIStalk replied with several rhetorical questions, such as,“What system deficiencies created the need to store [patient] information on consumer-grade services in the first place?” Later that month, Mr. HIStalk asked his CIO Advisory Panel to comment on policies or technologies used to prevent clinicians and employees from storing patient information on cloud-based consumer applications, such as Google Docs or Dropbox. Of the 19 replies, 60 percent block access to such services and / or have policies with random audits or other forms of monitoring.
Consumer-grade service and enterprise platform vendors include Google, Microsoft (MS), Accellion, Box, Dropbox, and others. The services (or applications or tools) provided by these vendors on their platforms include but are not limited to file storage / sharing and synchronization (FSS), mobile content management, document management, and, perhaps, most importantly, project and team collaboration.
For example, Google’s comprehensive suite of cloud-based services, Google Drive (FSS), includes but is not limited to Google Docs (collaborative office and productivity apps, now housed in Google Drive), Google Mail and Calendar, and Google Sites (sharing information on secure intranets for project and team collaboration). Box’s suite of cloud-based services includes but is not limited to mobile content management, project collaboration, a virtual data room, document management, and integration with Google Docs.
Historically, Microsoft SharePoint had been associated with on-premise document management and intranet content management. Over the years, broader, on-premise web applications were added to provide intranets, extranets, portals, and public-facing web sites as well as technologies, which provided team workflow automation and collaboration, sharing, and document editing services. SharePoint 2013 offers services in the cloud (and on-premise) and it includes but is not limited to Office 365 (the famous office and productivity apps, which now can be rented rather than purchased), Outlook (calendar), Exchange (mail), records management, e-discovery, and search.
I have worked with most of the above services and platforms in healthcare organizations. Since today’s digital experience is all about connecting and collaborating with others, I strongly believe the above services and platforms are important and useful for provider organizations, primarily because most of the services (or applications or tools) are not present in provider organization line-of-business systems. For example, with Google Drive, a resident can create a patient location spreadsheet in a cloud application, such as Google Docs, share it with colleagues, edit it on a tablet device, and push revisions to a collaboration site. Blocking access to these services penalizes employees by not allowing them to use robust collaboration tools.
In addition, I strongly believe the internal organizational policies and procedures that are developed for such services are sub-optimal at best. Unfortunately, most FSS services do not encrypt content, possibly exposing content to interception in violation of regulatory obligations, such as HIPAA. Yet organizational policies that manage encryption, backup, and archiving for content sent through email or FTP systems typically are not applied to the content sent through FSS services.
If provider organizations were to deploy formal information governance (IG) principles (e.g., electronic records management principles) with many of these enterprise services and platforms, onerous access blocking could be eliminated and policies and procedures could be improved. Unfortunately, like most services (or applications or tools), deploying IG principles for enterprise services is complex. In addition, deployment requires resources with knowledge of and experience in the information governance principles. However, the trade-off is that provider organizations can meet other legal, regulatory, and compliance requirements, such as e-discovery, without additional resources or effort.
As such, below is a step-by-step, basic, electronic records management guide to help protect what needs to be protected while allowing access to what needs to be shared and to gain value from cloud-based services and platforms while addressing compliance and governance standards.
- Clearly define as "documents" all content generated in (for example) GoogleDocs, SharePoint 2013, or Dropbox. A document is any analog or digital, formatted, and preserved "container" of structured or unstructured data or information. A document can be word processed or it can be a spreadsheet, a presentation, a form, a diagnostic image, a video clip, an audio clip, or a template of structured data.
- For legal and compliance purposes, declare as “records” those “documents” in GoogleDocs, SharePoint 2013 or Dropbox that 1) follow a life-cycle (i.e., the “documents” are created or received, maintained, used, and require security, preservation and final disposition, such as destruction); 2) must be assigned a retention schedule; and, 3) the content must be locked once the “document” is declared a “record”. Records are different from documents. All documents are potential records but not vice versa.
- Again for legal and compliance purposes, designate all the records as either “official” or “unofficial.” Official records include those documents that were generated or received in GoogleDocs, SharePoint 2013 or Dropbox and subsequently declared as records according to the above records characteristics. In addition, official records are created or received as evidence of organizational transactions or events that reflect the business objectives of the organization (e.g., receiving reimbursement for services provided, providing patient care); and qualify as exercises of legal and / or regulatory obligations and rights (i.e., have evidentiary and / or regulatory value). Unofficial records include those documents that were generated or received in GoogleDocs, SharePoint 2013 or Dropbox and subsequently declared as records according to the above records characteristics. However, unofficial records will not further organizational business, legal, or regulatory needs if the records are retained. Typically, unofficial records are retained only for the period of time in which they are active and useful to a particular person or department. Often organizational retention policies allow unofficial records to be retained for x number of years after last modification, but typically no longer than official records. Examples of unofficial records are (what are typically but erroneously called) working “documents”, draft “documents”, reference “documents”, personal copies of documents or records, and copies of official records for convenience purposes.
- Retain all the documents and official / unofficial records in GoogleDocs, SharePoint 2013 or Dropbox in separate, physically, but logically-linked electronic repositories. For example, “documents” can be stored on individuals’ hard drives. Once documents are declared “records”, the official records (e.g., patient records [including patient-related text messages / email messages /social media entries], employee records, patient spreadsheets, etc.) must be parsed and placed into a secured electronic repository, similar to the organization’s line-of-business system or systems-of-record repositories; e.g., EHR, Vendor Neutral Archive, financial system — with audit trails, access controls, etc. The unofficial records (e.g., working documents, reference records, etc.) can be stored on organizational shared drives.
Currently, many of the service and platform configurations and capabilities are not intended for long-term electronic record retention and security purposes and should not be used as healthcare organizations’ electronic repositories of official records. For example, no comprehensive, electronic records management, document management, or content management functionality exists on Google Drive. Once the record owners leave the organization and fail to reassign ownership, the official records could be subject to automatic deletion after x number of years. However, Google is introducing new Google Drive tools that might assist in better management of official records.
On the other hand, cloud providers are increasingly supporting content segregation, security, privacy, and data sovereignty requirements to attract regulated industries and are offering service level agreements and HIPAA business associate agreements (BAAs) designed to reduce risks. In September, Google announced a HIPAA BAA for the following Google App services: Gmail, Google Calendar, Google Drive, and Google Apps Vault. Alternatively, Accellion has extended its reach beyond data stored in its application by integrating with enterprise content management (ECM) systems, allowing users to connect right from their mobile devices to secured back end, typically on-premise repositories, such as SharePoint.
Deborah Kohn, MPH, RHIA, FACHE, CPHIMS, CIP is a principal with Dak Systems Consulting.