Finding a DAM solution that complies with HIPAA regulations

digital asset management
March 9, 2022
Finding a DAM solution that complies with HIPAA regulations

When a hospital or other healthcare business is looking for a Digital Asset Management (DAM) system, it’s not surprising that, “Can it comply with HIPAA?” is often the first and only question. But beyond that coveted HIPAA-compliant label, what should you look for when you’re on the hunt for a healthcare DAM?

When it comes to the healthcare industry in the United States, the Health Insurance Portability and Accountability Act, better known as HIPAA, affects everything. Decisions related to procedures, personnel, and especially technology all filter through the HIPAA lens. 

What are HIPAA requirements for digital assets?

HIPAA requires that any person, institution, and related service providers (like a Digital Asset Management system) must have policies and practices in place to safeguard patient health information (PHI).

What is PHI? According to HIPAA, it’s anything relating to past, present, or future healthcare. That includes conditions individuals may have, services they receive, or how those services were paid for.

How the right digital asset management vendor can help you comply with HIPAA

So, how do you know whether a DAM vendor can deliver HIPAA-compliant solutions without sacrificing usability and efficiency? Look for one that offers confidentiality, integrity, and availability of assets.

Confidentiality of PHI 

There are multiple ways a DAM can ensure the privacy of PHI by preventing unauthorized access to assets. Here’s what to ask about:

  • Encryption: When speaking to a digital asset management vendor, make sure they offer sophisticated encryption options. Dual-factor authentication or single sign-on options are also worth looking into, since they’ll further reduce the possibility of unauthorized access.


  • Employee training: Find out what kinds of cybersecurity awareness training a DAM vendor’s own employees take. Look for organizations and vendors that equip employees with the knowledge of potential security risks and how to avoid them.
  • Secure storage: Because PHI may be stored with third-party cloud storage providers, ask the vendor about which cloud storage options are available, and whether those options are compliant with HIPAA. Also discuss how the DAM ensures secure migration of data to and from the cloud.

Integrity of assets

Integrity refers to the consistency and security of data. That means your organization and your DAM vendor must prevent changes made by unauthorized individuals — and unauthorized and accidental modification by authorized users, too. 


One of the simplest ways for a digital asset management platform to handle integrity is through Permissions. Permissions are a system of controls that let you decide who can access which assets and when. 

A HIPAA-compliant DAM system should offer customizable permissions that can give access based on:

  • A user’s role (admin, staff, etc.)
  • Asset status (public, internal, in review) 
  • A range of dates (for example, an asset in only available until a certain date)
  • Or even individual rules you create for one asset or a small group of assets

Permissions in DAM that complies with HIPAA 2

Audit trails

While permissions let you control who can view assets, audit trails show you who actually is looking at them. DAMs that are HIPAA compliant should be able to give you a history of changes made to assets, so you can see who made them and when. But you should also be able to see simple access logs, so you can report on who is viewing assets, if needed.

Audit trail in hippa compliant DAM 2

Availability of assets

Availability means that electronic PHI must be accessible and usable on demand by authorized individuals — which should be easily accomplished through the right DAM system. 

  • Quick access: Users should have timely and uninterrupted access to the information in the system. Look for a DAM that can grab information quickly, without lots of lag or outages.
  • Easy-to-use search: Ask for a demo of their search functionality to make sure that it’s intuitive and user-friendly. After all, it will be accessed by a diverse group of people, including healthcare workers, marketing teams, and potentially patients seeking their PHI.

Digital Asset Management can make it easier to comply with HIPAA by choosing a system that’s centralized, secure, and easy for the authorized users to access. You just need to find the right system that can handle specialized requirements, and the right vendor to bring specialized knowledge and expertise to your implementation.