The 1 Thing You MUST Do to Survive a HIPAA Security Audit or Investigation

/
iStock_No1OnPlaneTail_XSmall.jpg

With audits and investigations on the rise, there is growing sense of foreboding among those who need to be HIPAA compliant. Many are scrambling to "button up" any loose ends before the Feds show up with a ticket book. But there is one thing you really must do if you have any chance to survive an audit or investigation.

That one thing is documentation. There are 22 Standards and 42 Implementation Specifications in the Security Rule that must be addressed by your organization. You can do all the things implied by them, but if you fail to document your work, you really have nothing but your word. And you know our federal government's default position in any matter - you're guilty until you can prove you're innocent.

So, in this case, your best defense is a great offense. If you develop great documentation, to an auditor or investigator you'll probably appear to be head and shoulders above your peers. That can't hurt your chances, right? But document everything you can. What does that mean? Here are a few ideas to get you started:

  1. Start with your policies and procedures (by having them!). Communicate them to your staff (and document that you did and when) and ensure that everyone is following them. Review them at least once per year (during your Evaluation would be perfect time) and document that you did so.  Keep all past versions with dates on when they were in effect and replaced.
  2. Use documented sanctions to show that you are serious about following your policies and procedures and that you are holding your people accountable for doing so.
  3. Document any and all training that you provide to your people. And train often. The Security Awareness and Training standard is intended to be more than just annual training. "Training" does not have to be a half day, shut the office down ordeal. Refer to the Security Awareness & Training section of the Security Series #2 for some additional guidance and check out HIPAA TIPS for more help implementing a company-wide Security Awareness program.
  4. Keep any and all relevant documents used during any and all risk analyses or assessments. Any spreadsheets, Word documents, PDF's, lists, and certainly the analysis reports need to be kept together and organized by the risk analysis they are related to.  
  5. When you implement solutions to risks you have previously identified, be sure to clearly document the solution, when the solution was implemented, what risks were addressed by it and note the specific risk analysis report that identified the risk(s) in the first place.

If this list looks like Greek to you, then I highly recommend you do what I tell my clients to do. First, actually read the Security Rule. Second, read the Security Series from CMS. Also, book mark this site and consider following us on Facebook, LinkedIn and Twitter for notification of new content on this site.

If you find yourself in the midst of an audit or investigation, nothing will seem as valuable or as regrettably simple as good documentation.  

For more ideas on how and what to document, check out this post - 15 Ways to Document Your HIPAA Security Rule Compliance.

To make documentation management even easier, check out HIPAA FLIGHTPLAN. 

If you found this article helpful, use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter.  

  Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.

/ / Comment

Phil Cooper

Phil Cooper is a serial entrepreneur and co-founder of Skysail Software. He co-founded NetTech, an IT services company in 1995 which he and partner Jeff Franks sold to MapleTronics Computers in 2009. He currently serves as CIO for MapleTronics and is the Chief Software Architect for Skysail Software. His years in the IT services field have provided ample opportunity to work with physicians and administrators in the medical community. This first hand experience has helped him understand the struggles that many independent practices face complying with HIPAA, especially the Security Rule. Along with Franks, Cooper decided it was time for the right tools to be built to assist the medical community with making HIPAA compliance manageable. So, Skysail Software was born. He has also served seven years on the board of Riverside Christian Academy, five as Board Chair, and has noted that it has been "one of the most significant and rewarding experiences of my life". He is an avid aviation buff and once had a rock band called Gantry...yes, along with Franks. Phil and his wife Debbie have two boys, Tyler and Ben, and reside in Fayetteville, TN.