Can you demonstrate your HIPAA Security Rule Compliance?

/

So, you're feeling good about your level of compliance with the HIPAA Security Rule.  That's nice, I suppose.  But that feeling is essentially irrelevant.

iStock_Audit_XSmall.jpg

It doesn’t really matter how you feel about.  Nor does it matter how you feel about it.  What matters is this -- can you demonstrate it?  Can you clearly show how you are complying and that you have been complying for a period of time?  Just saying you have will not go very far.

You need to be thinking about how and where you will store and manage your :

  1. Policies and Procedures
  2. Documentation & Related Evidence

Policies and Procedures

You're going to need more than just a three ring binder…those days are over.  You'll need to review and evaluate your policies and procedures periodically (you get to decide how often) to see if they are continuing to adequately protect ePHI.  Over time, policies will change and you'll need to maintain a history of each revision for at least 6 years.

You also need to make your policies available to each staff member who will be responsible for following them.  Sounds simple enough, but many organizations have poor ways of getting the information into the hands of their people and even poorer ways (or no way) to get the updated versions to them promptly.  Think about how you can give access to your policies to everyone who needs it and encourage them to reference it often, or at least periodically.

Documentation & Related Evidence

As you operate your business you will be executing your policies, or least you should be, because they define how you will go about certain things.  That execution should leave a paper trail of logs, activities, events, reviews, assessments, evaluations, risk analyses, meetings, decisions, changes in processes, changes in technical security, environmental changes and on and on.  Before you freak, note that most of the items in this list are things you are already doing. 

Most likely, there is a paper trail already.  The question is, where do you store that info?  Can you find it now?  Will you be able to find it if you are subjected to an audit, investigation or a compliance review by HHS? 

Demonstrability Matters

How well you are able to navigate an inspection of your compliance has everything to do with how well prepared you are in advance.  Your compliance will always be the subjective judgment call of someone else.  If you are able to quickly, easily and thoroughly present your compliance documentation upon request, you will no doubt fair better than those who must scramble to find documentation, or worse can't produce anything more than a verbal promise.

Pull It Together Now

If you don't have it all together now, then start.  Have some fun with it.  Ok…pretend to have some fun with it.  Have someone play the part of an investigator or auditor and do a dry run.  HHS has published their Audit Program Protocol that reveals what they will be looking for in their audits.  Use this as a guide to be as thorough as you can.  Make notes as you go when you find that you are either slow or unable to deliver what is being requested.

After the dry run, address the issues you uncovered…it will never be easier than now.  Then, bring everything together into a system of documentation that will allow you to go right to any requested compliance item with no worries and no stress.  If you do this, then if you are ever called upon to survive an audit, investigation or compliance review, you will most likely impress your inspector (by standing out from your peers), you'll sleep better during the event, and you'll be a hero to your providers.  After all, it's their butts you just saved.

If you found this article helpful, use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter.

Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.

/ / Comment

Phil Cooper

Phil Cooper is a serial entrepreneur and co-founder of Skysail Software. He co-founded NetTech, an IT services company in 1995 which he and partner Jeff Franks sold to MapleTronics Computers in 2009. He currently serves as CIO for MapleTronics and is the Chief Software Architect for Skysail Software. His years in the IT services field have provided ample opportunity to work with physicians and administrators in the medical community. This first hand experience has helped him understand the struggles that many independent practices face complying with HIPAA, especially the Security Rule. Along with Franks, Cooper decided it was time for the right tools to be built to assist the medical community with making HIPAA compliance manageable. So, Skysail Software was born. He has also served seven years on the board of Riverside Christian Academy, five as Board Chair, and has noted that it has been "one of the most significant and rewarding experiences of my life". He is an avid aviation buff and once had a rock band called Gantry...yes, along with Franks. Phil and his wife Debbie have two boys, Tyler and Ben, and reside in Fayetteville, TN.