By Carols Leyva
Published: March 19, 2017
What evidence should a covered entity or business associate be prepared to show Health and Human Services (HHS) as proof they are compliant with HIPAA?
This article will address the kinds of visible, demonstrable evidence (VDE) that your organization should be prepared to show the Health and Human Services (HHS) during a HIPAA audit. It will also discuss what a business associate should be prepared to show a covered entity when the former is asked by the latter to show proof of HIPAA compliance. Of course, as you might expect, there is potentially a significant overlap between what a stakeholder might show HHS or a covered entity (respectively referred to as "Requestor" for the remainder of this article). However, what is shown to a Requestor could also vary widely, as we will discuss herein.
As a threshold matter, you should be prepared to discuss VDE regarding something that is not found in HHS' audit protocol; that is, VDE pursuant to the methodology your organization has put in place to ensure coverage of all compliance requirements and, moreover, the methodology that will help a Requestor understand your organization is serious about pursuing a culture of compliance. In other words, the VDE that you show a Requestor should all fall within a compliance framework that is underpinned by your methodology. Showing VDE pursuant to your methodology helps frame the discussion in a manner that creates the desired perception of your organization’s commitment to your HIPAA compliance initiative.
The principal takeaway from our discussion thus far is that you are not simply "throwing documents" at a Requestor, but rather those documents you provide should demonstrate VDE and fit within a well-thought-out approach that governs your organization's thinking pursuant to the entirety of your HIPAA compliance initiative. We can assure you, with a high degree of confidence, that initiating the conversation with the Requestor in this manner, not only sets the proper context, but more importantly goes a long ways towards influencing the Requestor's perception that your organization is 100% committed to your HIPAA compliance initiative, or any other type of compliance initiative for that matter.
For the purposes of this article, we will take a more business like approach as to what you should be prepared to show a Requestor as compared to the voluminous (and at times indecipherable) requirements contained within HHS' Audit Protocol Revision 2 (circa April 2016; click here to download the protocol as a PDF). We will break down the documents you need to be prepared to show according the the individual HIPAA compliance Rules: (1) HIPAA Privacy Rule; (2) HIPAA Security Rule; and (3) HIPAA Breach Notification Rule.
For the purposes of the article we are "tree topping" the kind of VDE required for each Rule. The intent is that you should be able to quickly review the documents and categories proffered in the article and determine if your organization is indeed meeting these requirements. It should provide you a quick reality check as to the current standing of your HIPAA compliance initiative.
The HIPAA Privacy Rule: You should be prepared to show the HHS auditor the following documents and document categories as proof of compliance for the HIPAA Privacy Rule:
- A methodology for determining when the Privacy Rule has been violated.
- The ability to process Authorizations according to the Omnibus Rule.
- Omnibus Rule compliant Notice of Privacy Practices.
- Omnibus Rule compliant Restriction Requests.
- The ability to process requests for access to PHI.
- The ability to process requests for amendments to PHI.
- The ability to process requests for an accounting for disclosures of PHI.
- Demonstration of a named Privacy Officer with his/her personnel file updated.
- Policies and procedures at the granularity level of a requirement.
- The ability to track process results at the granularity level of a requirement.
- A training program for your entire workforce.
- A specialized training program for certain individuals within your workforce.
- Business Associate Agreements.
The HIPAA Security Rule: You should be prepared to show the HHS auditor the following documents and document categories as proof of compliance for the HIPAA Security Rule:
- A methodology for determining when the Security Rule has been violated.
- Policies and procedures.
- Risk Assessments report for one or more risk assessments.
- Demonstration that you have implemented an evergreen Risk Mitigation framework (See NIST SP 80-37 R.1).
- Sanction policy.
- Ability to track system activity logs.
- A named Security Officer with his/her personnel file updated.
- Workforce Security Processes.
- Security Awareness Training across the organization.
- Security Incident Tracking.
- Contingency plans for: (a) disaster recovery; (b) emergency mode operations; and (c) Application Criticality.
- Technical controls to support all of the above.
- Physical plant and equipment controls.
- Business Associate Agreements.
The HIPAA Breach Notification Rule: You should be prepared to show the HHS auditor the following documents and document categories as proof of compliance for the HIPAA Breach Notification Rule:
- A methodology for determining when Breach Notification is triggered.
- Model letters to notify patients when a breach has occurred.
- Model letters to notify major media when a breach has occurred, when required.
- Model letters to notify the Secretary of HHS when a breach has occurred.
- Demonstration of the ability to document Security Incidents.
- Timeliness of reporting for Covered Entities.
- Timeliness of report of Business Associates.