Steve Spearman
Share:
Q1: What do you know about this new HIPAA Audit program?
HIPAA audits were mandated by HITECH under the enforcement provisions. The first round of audits were conducted in 2012. They were considered investigative so no fines were levied.
Q2: I’ve been tasked to make sure we are ready for this next round if we are selected for an audit. How do I get ready?
I think the right question is not “How do I pass a HIPAA audit” but “How do I comply with HIPAA so that, if I am audited, I will pass the audit?” The way to prepare for an audit is to have an effective HIPAA compliance program at all times.
Q3: So, how do I build a HIPAA Compliance Program?
The rules, listed in a section called the Organization Requirements,i describe the elements required to comply. The rules require you to do the following:
- Have a Business Associate Agreements in place with vendors who require access to PHI.ii
- Adopt reasonable and appropriate policies and procedures to comply with the HIPAA rules. iii
- Maintain your policies and procedures in writing.
- Maintain a written record of the actions, activities and assessments related to compliance and that are required to comply.iv
- Keep those policies and records for 6 years.
- Provide a mechanism to make the policies and procedures available to those required to implement or abide by the policies.
- Review your policies and procedures periodically and update as needed.
Q4: “Maintain a written record of the actions, activities and assessments related to compliance,” is a bit vague. What does that mean exactly?
Well, it’s related to the practical reality of compliance. If it’s not documented, as far as an investigator, auditor or an administrative law judge is concerned, it didn’t happen.
Q5: I have policies and procedures in place. Isn’t that enough?
No, that’s not enough. Although the rules don’t say how policies and procedures must be written, good policies are going to state the procedures or practices that will be used to comply. Those procedures, if they are any good, inevitably describe the practices or steps that will be required to comply and create “documentary artifacts” to support the policies and regulations.
Q6: Artifacts? You mean like an archeologist?
Well, similar in that archaeologists use artifacts to reconstruct and prove how people lived in the past. Investigators use “documentary artifacts” to prove that you have complied and to demonstrate how you have complied in the past. So, yeah, like an archeologist but without the dust, bull-whip and fear of snakes.
Q7: Can you give me an example?
Sure. I’ll give you two.
- Both the privacy rulesv and security rulesvi require training. To comply, you should have a policy and procedure regarding training. These policies and procedures could be one policy covering both privacy and security or two separate policies. It doesn’t really matter. But the procedure should address issues such as:
- Training will be provided to new employees prior to the commencement of their responsibilities and before access to PHI is granted
- The frequency of refresher training
- The manner in which the training will be given, etc.
The “artifacts” from the procedures are generated in the process of fulfilling the policy. If an organization provides annual refresher training via an obligatory in-service, the compliance official should have a login sheet where everyone signs in. They should keep a record of the content of the training such as date/time that the training occurred, who presented the content, outline or PowerPoint slides of the content, etc. Those documents are your “artifacts.”
Q8: And the second example?
My second example is incident response and reporting. Organizations must have policies and procedures regarding responding to and reportingvii security and privacy incidentsviii and to mitigate the harmful effect of incidentsix. Possibly the most straightforward way to comply with this regulation is to create an incident response form that includes all the elements required in the procedure. A good incident procedure might look like this:
But it could also look like this:
The second example is easier because the elements in the first example are contained in the form. The form not only becomes your compliance artifact; it drives compliance with the policy itself.
Q9: Do we need a policy and procedure to address all the regulations? And, secondly, do we also need to define the “artifacts” that prove our compliance for all our policies and procedures?
Yes, to both questions. You need a policy and procedure addressing all the required regulations. There are two ways to accomplish that:
- You can have one named policy and procedure for each named regulatory requirement. The approach has the advantage of clarity but requires a lot of policies, all of which need to be in-sync with each other.
- Have policies that address multiple regulatory requirements. This approach will mean you have fewer policies but you will need to create a “policy map.”
Q10: What is a policy map?
It’s a tool that you build and use to demonstrate which policies address which regulations. Ideally, it will map to the policy at the paragraph level. An easy way to create a policy map is to insert a table into a Word document with at least two columns, one for the regulations, the other for the named policy and paragraph. Insert the policy on the left and the corresponding policy/paragraph on the right.
For example:
Q11: Could we use a similar approach to document the artifacts related to a policy?
Yes. This approach, extending the map to include a column for artifacts, is extremely helpful because it forces you to consider each element that proves compliance.
Q12: How do we keep all this material organized?
One idea is to keep a “book of evidence.” A book of evidence is a notebook with tabs in which you keep copies of these artifact documents organized by policies. So, from the table above, you would have a tab called, Privacy and Security Officials, and you would insert the documents related to your Security Officer under this tab which might include a letter designating the named individual, a job description, roles and responsibilities, credentials, records of any training the person has received, etc.
Another way to organize this information (without having to print out hard copies) is to add another column to the Policy Map that lists the location on a drive to the document (preferably a secure network drive with access limited to appropriate personnel). So the cell might say something like: S:Compliance > Policies > ComplianceOfficials > SecOfficerJobDescription.
Q13: What do you recommend for maximum compliance?
I like to describe a HIPAA Compliance program as a three legged stool. If any leg is missing, the leg won’t stand. Here are the three legs of compliance (ideally, they will even be implemented in this order):
- Conduct a risk analysis.
- Implement policies and procedures.
- Train your employees.
Q14: Why should they be done in this order?
Because the risk analysis will inform what you need to include in your policies and procedures, and your training needs to address what is in your policies and procedures.
Q15: So what is a risk analysis? Why is it so important? And how do I conduct one?
Unfortunately, how to conduct a risk analysis is a lengthy topic. You can find that information here.
A risk analysis is a methodical process to identify weaknesses to an organization's network, operational processes, technical controls, policies, etc. that could lead to a security or privacy breach. Specifically, the regulations state that covered entities must “document the threats and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information.”
A risk analysis is like having your home inspected. An individual with a checklist, methods, and tools, systematically determines potential problems with your home that a potential buyer should know. In the same way, a risk analysis documents problems and issues that you may have noticed in the past, but didn’t document, or fix.
It also uncovers problems you weren’t aware of in the first place. The key thing to note is that the regulations require you to uncover and document potential risks. “I didn’t know,” is not an acceptable excuse because you are required to know. Risk analysis is how you stay informed. In addition, risk analysis is the process that tells you what to do to fix things that are not specifically in the regulations. The regulations tell you that you can’t share passwords. They don’t tell you what to do about a computer with an unsupported operating system, or whether the methods you have deployed to secure data-in-motion are sufficient. The risk analysis is what you use to determine the answer to those kinds of questions.
Q16: We’ve covered policies and procedures but what about training?
It goes without saying that employees can’t reasonably do their job properly without knowing what is expected of them. They need to understand to whom PHI can be disclosed and how it can properly be disclosed, and what does, “minimum necessary,” mean and other nuances of the job that are affected by the regulations. In addition, you can’t really hold staff accountable if they lack training. So for effective compliance, the protection of PHI, and operational reasons, training is important.
Thank you for tuning into this segment of our HIPAA Explainer Series. If you're interested to learn more on the topic of HIPAA Compliance, you can watch our on-demand webinar, "HIPAA Compliance Essentials, Simplified", by clicking the button below:
Questions or Comments?