Evidence of HIPAA compliance tips for healthcare providers

According to healthcare attorney Susan Miller, detailed evidence of HIPAA compliance and going beyond just the black letter HIPAA rules will be important factors when the Office for Civil Rights (OCR) makes its HIPAA audit rounds this fall. Miller said that OCR has been talking about evidence of compliance since 2009, when it first released the HIPAA Omnibus Rule Notice of Proposed Rule Making (NPRM).

Evidence of compliance, in my view, goes beyond what the rule asks of an organization, such as where its policies and procedures are. This includes the Notice of Privacy Practices (NPPs), business associate agreements (BAAs), but they’ve also [made it clear] that organizations must have a breach plan. In no place in the regulation does it say that an organization has to have a breach plan or process. It does makes sense to have a breach plan to know what the organization will do when it has a breach event. I would suggest that organizations have a breach plan that they look at and update yearly.

OCR will be looking for specific things in the plans, Miller said, including communication tactics within a breach plan. And Miller tells her clients that they need a detailed training plan, as well as the training materials and sign-in sheet or even some way to know when staff completes computer based training (CBT) modules, depending on how they do training. The important thing is knowing the training was completed. And organizations need something similar to a contingency plan, which is in the Security Rule but the larger organizations name as business continuity and disaster recovery plans. “Think of [the Boston Marathon bombings] – you need something that’s going to help you continue to function during these events that are out of the control of the covered entity or business associate (BA),” Miller said.

In Miller’s estimation, evidence of HIPAA compliance includes the following documentation:

- HIPAA Privacy, Security and Breach policies, procedures and related documents, updated to the Omnibus Rule additions and changes; reviewed yearly; updated as necessary

- Breach Plan, plus yearly role playing and update

- Training Plan, plus training and training material

- Communications Plan, plus meeting agenda, minutes

- Disaster Recovery Plan, plus yearly role playing, and update

- Audit and Monitoring Plan, reviewed yearly

- Governance documentation

- Yearly, internal HIPAA audit, documentation

- Yearly Security Risk Analysis/Assessment, documentation

How the HHS Security Risk Analysis (SRA) Tool factors into compliance

Because, in part, OCR discovered during its previous round of audits that many organizations had not done a thorough or complete risk analysis, it recently released its SRA tool to help organizations with risk analysis. Miller said that the tool is a step in the right direction, but it doesn’t explain what a risk or vulnerability is, let alone a risk assessment or analysis for smaller providers that may not understand NIST language.

If I was designing a tool for the smaller providers, I would use common language, such as what the industry thinks a risk is, but I would not use the NIST definition in the glossary. [And] it’s more than 150 questions and 400 pages long which seems too much too long to a small practice. Any medical practice is a fast-paced environment and I don’t know who would be doing this, but the security language is still the same language that only the security experts who work with security on a daily basis would understand.

Miller added that regardless of whether organizations have used either the ONC Security Risk Analysis Tool, the NIST Tool or self-audits, OCR is going to be looking for documents and will take them as evidence of the security compliance.