Be updated, subscribe to the OpenKM news

How to ensure HIPAA compliance with a Document Management System

Written by Ricardo Álvarez, OpenKM  USA staff member on September 18, 2020

 Adapting the standards of the Health Insurance Portability and Accountability Act (HIPAA) ensures efficiencies and effectiveness in the healthcare system without compromising the privacy of individually identifiable health information. These compliance regulations ought to be thoroughly enforced by any provider of medical services, healthcare business associates, and any other person who works for health care in the normal course of business, even though there is no official HHS-mandated HIPAA certification accreditation.

The reasons why there are none official accreditations for HIPAA are simple: failure to comply can happen at any time, and these regulations can be updated.

Using a DMS to comply with HIPAA

There are no mandated procedures for ensuring your business is HIPAA compliant, but is highly recommended that healthcare providers have a secure repository that is able to limit any document access to only those who are absolutely necessary. That being said, the following procedures can easily be achieved and enforced by implementing a Document Management Software:

1. Access control

One of the requirements for complying to HIPAA is to set proper security controls at the level of access of each document. With OpenKM, you can choose who can access any specific data. This comes in the form of permissions for users and roles, which can be updated regularly.

2. Activity logs and Audit controls

Another requirement is to keep proper activity logs. Doing these without a high-end document management software can be extremely difficult and unreliable. OpenKM allows us to track any event that has taken place on any document. These audit trails can be as specific as knowing who accessed each file, what was changed on the file and when was this done.

3. Patient records

Healthcare organizations need to maintain a complete record of the medical history of patients. With OpenKM’s Version Control, the protected health information can include multiple versions of the same file without cluttering documents, while keeping track of the activity logs of each version.

4. ePHI Confidentiality and Authorizations

Besides ensuring that any healthcare records are stored and archived confidentially, healthcare providers need to provide patients with the specific information on how their PHI will be shared and for what reason, and receive the proper authorizations.

OpenKM has the necessary tools to create relations between documents, add metadata and keywords. This allows you to easily access all the information about a specific procedure, patient, location, or any specific filter you want to apply.

This can also ensure there is written permission (HIPAA Release Form) from patients before their PHI is used for many purposes — such as marketing, fundraising, or research. OpenKM’s Optical Character Recognition tools enable you to automatically perform a layout analysis, recognize a selected field on paper and use the information for improving the efficiency of approval or denial of information management processes.

5. Encryption and decryption tools

Hospitals must encrypt PHI when transmitting it over the internet. OpenKM’s cryptography tools allow you to easily enable this security setting any time you download or email a document containing personal health information.

6. Risk Assessments

Healthcare providers are bound to perform regular risk assessments to identify any possible flaws in every area in which ePHI is being used.

OpenKM can help you create different types of risk assessment reports based on your specific data and automation settings. This is highly important in order to do a follow-up plan that can overcome the identified risk.

7. Business Associate Agreements

Whenever a third party needs access to any PHI to perform a service, both parties need to have a business associate agreement that limits the use or disclosures of the information provided.

With the proper automations, workflows and notification systems, OpenKM can help prevent certain information access, if a specific Business Associate Agreement is not signed and up-to-date.

8. ePHI Disposal

Although the HIPAA Privacy Rule does not have any medical record retention requirements, some state laws determine how long medical records are to be retained.

With OpenKM’s document lifecycle management tools, you can be sure that any PHI on the system is completely erased and the integrity of the privacy of medical records is kept throughout the disposal process.

9. Incident Management tools

Covered entities and business associates under these rules, must notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured PHI and provide the relevant supports for any policies and procedures that were in place to address possible security incidents.

10. Training

Covered entities are required to perform regular training about HIPAA. With OpenKM you can ensure the standardization of document management practices as well as the enforcement of a regular check of the HIPAA guidelines and specific internal regulations.


Non-compliance to any of the HIPAA regulations can incur in massive penalties. On June 18, 2018, MD Anderson Cancer Center paid $4.4 million in fines for HIPAA violations. The best way to comply with the HIPAA regulations is to partner with a HIPAA advisor and use a Document Management System provider that has had a significant history of clients within the medical sector. OpenKM’s international clients of the medical sector are an integral example of its commitment to document management safety and efficiency.

OpenKM is a powerful and complex tool for healthcare providers that provides compliant document management with the legal requirements of HIPAA, including tools to help identify and investigate potential HIPAA violations.

There are several other issues and regulations related to HIPAA that can be enforced by implementing document management software. This includes unique user identification systems to track all users that sign on and off the system and tokens for special access to documents.

There are additional advanced functionalities that OpenKM can bring to healthcare institutions, including the integration of automated processes and procedures, and the incorporation of a requests and complaints system for users.

Contact us

By submitting this form, your information will be sent to the website owner, who will use it to communicate with you regarding this inquiry, its products, and services. No information will be shared with third parties.

We will make every possible attempt to reply within 24 hours. Please review your spam folder if no email is received.

General inquiries

North America Headquarters:
37 N. Orange Ave. Suite 536, Orlando, FL 32801
+1 646 206 6071 (USA)
+44 208 638 8114 (UK)

c/ Bunyola 13, 07004 Palma de Mallorca, Balearic Islands, Spain
+34 605 074 544 (Spain)

North America: Please call +1 646 206 6071.
Office Hours:
Monday - Friday: 08:00 am - 17:00 pm EDT for immediate assistance. Currently, it is Saturday 06:30 am in New York, USA.

Europe Spain: Please call +34 605 074 544.
Office Hours:
Monday - Friday: 09:00 am - 14:00 pm, 16:00 pm- 19:00 pm CEST for immediate assistance. Currently, it is Saturday 12:30 pm in Palma de Mallorca, Spain.

OpenKM worldwide:

Middle East:
North Africa:
North America: