15 Ways To Document Your HIPAA Security Rule Compliance

/
iStock_HandsThruLaptop_XSmall.jpg
Documentation is a major part of HIPAA Security Rule compliance. Aside from your policies and procedures, there are many actions, activities, reviews, logs, assessments and evaluations that must be documented.  Get this right and your chances of surviving an audit or investigation will be much higher.
  1. Start with your policies and procedures (by having them!). Communicate them to your staff (and document that you did and when) and ensure that everyone is following them. Review them at least once per year (during your Evaluation would be perfect time) and document that you did so.  Keep all past versions with dates on when they were in effect and replaced.
  2. Use documented sanctions to show that you are serious about following your policies and procedures and that you are holding your people accountable for doing so.
  3. Document any and all training that you provide to your people. And train often. The Security Awareness and Training standard is intended to be more than just annual training. "Training" does not have to be a half day, shut the office down ordeal. Refer to the Security Awareness & Training section of the Security Series #2 for some additional guidance and checkout HIPAA TIPS for more help implementing a company-wide Security Awareness program.
  4. Keep any and all relevant documents used during any and all risk analyses or assessments. Any spreadsheets, Word documents, PDF's, lists, and certainly the analysis reports need to be kept together and organized by the risk analysis they are related to.  
  5. When you implement solutions to risks you have previously identified, be sure to clearly document the solution, when the solution was implemented, what risks were addressed by it and note the specific risk analysis report that identified the risk(s) in the first place.
  6. Log each and every security incident, even the minor ones. Encourage your people to report anything they believe is not quite right.  You can report it as "suspected". If you later find out it was nothing, that's great! But now you are showing due diligence and a serious approach to protecting your ePHI.
  7. You should have a policy and procedure for authorizing and granting access to ePHI to your people. Be sure to document each and every exercise of those policies. Whether you are granting more access, restricting previously granted access or terminating access, every case should be logged.
  8. Keep track of all business associate agreements and any official correspondence with a business associate.  
  9. Your evaluation should produce a fair amount of documentation. Be sure to hang on to it. Much of it may feed back into future changes to policies and procedure as well as specific implementations of technology.
  10. Your contingency plans and should be in a policy and procedure, but you'll also want to document when you tested them (dry run, fire drill, etc.) and any issues that were uncovered and revisions that were made.
  11. If you have any visitor logs, maintenance logs and such, don't throw them away when the page is full.  Scan them into a PDF and keep them. You already did the hard part…it's an easy way to have more evidence of your compliance.
  12. Track your IT inventory from womb to tomb. Be able to show when each device was first commissioned for use, how it was intended to be used, when it was retired and how it was disposed.  
  13. Document who your HIPAA Security Official is and for what term. Keep records and dates when/if the person assigned to this role changes.
  14. Document your rationale. Repeatedly throughout the Security Rule, there is inference to not only making decisions about what you will do and how you will go about doing it, but also to document why you decided so. The Security Series speaks more openly about rationale and when and where it's expected.
  15. Record your day to day activities that are related to executing key elements of the Security Rule. This may be as simple as just keeping a handwritten log for some things (that you'll scan to PDF later), or more detailed records of meetings, decisions, audit log reviews, movements of ePHI (especially in and out of your control).

If this list looks like Greek to you, then I highly recommend you do what I tell my clients to do. First, actually read the Security Rule. Second, read the Security Series from CMS. Also, book mark this site and consider following us on Facebook, LinkedIn and Twitter for notification of new content on this site.

If you find yourself in the midst of an audit or investigation, nothing will seem as valuable or as regrettably simple as good documentation. To make documentation management even easier, check out  HIPAA FLIGHTPLAN.

If you found this article helpful, use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter.

    Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.

/ / Comment

Phil Cooper

Phil Cooper is a serial entrepreneur and co-founder of Skysail Software. He co-founded NetTech, an IT services company in 1995 which he and partner Jeff Franks sold to MapleTronics Computers in 2009. He currently serves as CIO for MapleTronics and is the Chief Software Architect for Skysail Software. His years in the IT services field have provided ample opportunity to work with physicians and administrators in the medical community. This first hand experience has helped him understand the struggles that many independent practices face complying with HIPAA, especially the Security Rule. Along with Franks, Cooper decided it was time for the right tools to be built to assist the medical community with making HIPAA compliance manageable. So, Skysail Software was born. He has also served seven years on the board of Riverside Christian Academy, five as Board Chair, and has noted that it has been "one of the most significant and rewarding experiences of my life". He is an avid aviation buff and once had a rock band called Gantry...yes, along with Franks. Phil and his wife Debbie have two boys, Tyler and Ben, and reside in Fayetteville, TN.