Share this article on:
Ademero is a document management software (DMS) provider whose platform helps businesses keep track of large quantities of documents and transition to a paperless environment, but is Ademero HIPAA compliant? Can its DMS be used by healthcare organizations without violating HIPAA Rules?
Ademero and HIPAA
The HIPAA Security Rule includes required and addressable implementation specifications. Any implementation specification that is required must be implemented to comply with HIPAA Rules. Addressable implementation specifications are not required, strictly speaking. Those implementation specifications include some flexibility. For instance, data encryption is not a required element, but that does not mean it can be ignored. If the decision is taken not to encrypt data that is acceptable provided that decision was based on a risk analysis and the decision not to use encryption is documented. Alternative controls must also be put in place that provide an equivalent level of protection.
Software solutions that support HIPAA compliance will have appropriate controls in place to satisfy the required elements of HIPAA and will meet or be compatible with the addressable elements of HIPAA. (See HIPAA compliance for SaaS)
Ademero has detailed on its website (and in a white paper) the requirements of HIPAA and how they apply to software. The company explains in detail how its software covers all of the required elements, and how healthcare organizations must ensure all addressable implementation specifications are satisfied.
Ademero includes access and audit controls, allowing administrators to carefully control who has access to the software and the documents uploaded to the DMS. Administrators have visibility into the ePHI uploaded to user accounts, and audit controls ensure that logon and logoff activity, file access, updates, edits, copies of documents and downloads are tracked. All data uploaded to the platform and stored in the DMS is encrypted. Ademero also works closely with HIPAA compliant cloud Google Cloud Platform.
Based on the controls in place, Ademero is certainly secure and is no doubt a high quality document management software solution, but is Ademero HIPAA compliant and suitable for use by healthcare organizations?
Is Ademero HIPAA Compliant?
Ademero has gone to great lengths to make it clear that its service has all of the necessary security controls in place to ensure users of the document management system can avoid violations of HIPAA Rules; however, on its HIPAA webpage and website, Ademero does mention the business associate agreement – a required implementation specification in HIPAA.
In its downloadable white paper ‘Meeting HIPAA Compliance with Document Management Software” the BAA is mentioned as a required element of HIPAA, but Ademero does not explicitly state that it will sign a BAA with covered entities.
As far as HIPAA compliance is concerned, it doesn’t matter if security is exceptional and all features of the service support HIPAA compliance. If the service provider will not sign a BAA with a HIPAA-covered entity, the service cannot be used in conjunction with any PHI.
So, is Ademero HIPAA compliant and can its service be used in connection with PHI? Until HIPAA covered entities and their business associates can enter into a business associate agreement with Ademero, it cannot be considered a HIPAA compliant document management system.