HIPAA Documentation AKA Telling Your Compliance Story

The way you tell any story is with pictures and words.  Documentation is a required element of HIPAA regulations that allows you to tell your compliance story.  I mentioned how important documentation is in the Plan of Attack for HIPAA 2.0 article.  What should your documentation include and how do you manage it?

The Security Standards specify that documentation can be paper or electronic plus:

  • Includes Policies and Procedures for compliance requirements
  • Includes Records of any action, activity, or assessments required for compliance
  • Availability is required to those responsible for implementing the procedures
  • Reviewed and updated as needed as a response to environmental or operational changes affecting security of ePHI
  • Maintained for a period of 6 years from the creation date or date it was last in effect, whichever is later

Policies and procedures are a common phrase in all HIPAA discussions.  Everyone knows you need them and many services provide a printed or downloaded copy of templates to create them.  The standard templates, though, don’t know your specific workflow and locations.  Make sure you update them properly if you use a template.  I have seen a HIPAA manual that included pages that said [ENTER YOUR PRACTICE NAME HERE] in the official copy.  Doesn’t take much thought to guess what their compliance assessment is going to show.  Leon Rodriguez mentioned at the ONC Annual meeting:

The other issue we saw in a number of cases were issues with policies and procedures. And my favorite one were folks who actually printed policies and procedures off the internet on the day they got the letter from our auditors. And it actually showed the date line from the internet as being when the policies and procedures were issued.

Records of any action, activity, or assessments done should show regular activity.  HIPAA is an ongoing exercise of activity.  Once you have your Risk Analysis done and thoroughly documented you will have your Risk Management and Mitigation Plans to follow.  You have projects to complete, training to perform, reviews that must be done and more.  All of those should be documented.  This is a bit different than simply policies and procedures written out.  This is more in the line of project planning and management documentation.

Availability is specifically mentioned because those responsible for implementing and reviewing the compliance activity can’t do it very well if they don’t have unfettered access to exactly what they should be doing.  This is another reason it really isn’t sufficient to have a printed manual in an office any longer.  Even if you print multiple copies there are a few problems.

  1. It can be expensive to print that much paper if several copies are required.
  2. How are you sure all copies are complete
  3. How do you access them if you aren’t in the office that has the printed manuals and can’t get to it.
  4. Updates can be cumbersome to make sure the correct version is being changed and distributed each time

Review and updates should be happening regularly until you feel you have everything under control.  Right now many groups are still trying to sort out everything that needs to be done and that shouldn’t be put off at all.  Once the plan is in place and documented well, though, you should do at least annual reviews of all your plans, policies and procedures.  If you make any substantial changes to your business activities, locations or structure a review should be done, also.

Maintaining copies for 6 years means you show a history of any activities and changes to your plans, procedures and policies.  That is the final part of telling your story.  There is history and details of why you decided to do what you did along the way.

OCR audit protocols clearly want you to be able to use your documentation to tell your compliance story and have it accessible easily.  The questions ask for details and the time frame to respond is very limited.  Your overall compliance plan should include a standardized method for maintaining all your documentation to quickly and thoroughly tell your story.

There are many compliance management software tools on the market at varying price levels to handle these requirements.  Without a compliance tool you need to develop a method using other tools such as spreadsheets and project management applications to build your documentation.  Doing this task with printed paper in a manual on a shelf just won’t cut it any longer.  We believe the best solution is a cloud based tool set that keeps everything available, secured and connected to each other.  Others believe in using spreadsheets and documents they manually manage.  Find something that will work for you sooner rather than later.  You need to be able to tell your story from the beginning.  Start today if you don’t have anything yet.  Every day matters.

Filed under: HIPAA Tagged: Business Associates, Compliance, Documentation, HIPAA, HITECH, Security Rule, Small Provider