Want to Impress OCR During a HIPAA Audit? Write a Book

Here is a tutorial from the Cleveland Clinic on maximizing proof of HIPAA privacy/security rule compliance through organized documentation by making a Book of Evidence.


Health Data Management’s May Cover Story, “HIPAA Audits: Are You Ready?” walks through how to prepare for and pass an audit of compliance with the HIPAA privacy and security rules from the HHS Office for Civil Rights. Included is this tutorial from the Cleveland Clinic on maximizing proof of compliance through organized documentation by making a Book of Evidence:

Creating a Book of Evidence on an organization's compliance with HIPAA privacy, security and breach rules is not difficult, only takes a couple of weeks, and helps an organization not be overwhelmed if it's selected by the HHS Office for Civil Rights for a random HIPAA audit, says Mark Dill, director of information security at Cleveland Clinic.

Once notified of an audit, "the clock is ticking" and an organization likely will only have about two weeks to compile and submit volumes of documentation, he adds. Perception is reality, he reminded attendees of the Privacy & Security Workshop at the HIMSS13 Conference in New Orleans. You can send organized and easily navigated electronic files of just the information requested with hyperlinks to specific documents, or you can send boxes and boxes of paper and hope HHS staff won't be too angry, he notes. "If you look disorganized, HHS will think you are." An organization may be able to avoid an on-site visit just by the quality of data it sends to OCR, or at least can minimize the time spent on site, which avoids auditors finding more issues.

Dill primarily relied on Microsoft SharePoint to populate, organize and store HIPAA policies, procedures and documentation of compliance. Building a Book of Evidence, or BOE, starts with homework-critiquing your risk analysis; reviewing HHS guidance documents from OIG, OCR and CMS; and reviewing health care breach trends to learn which risks the government is most concerned about.

Other tools for the BOE include Microsoft Office Suite, privacy and security reporting tools such as being able to show OCR a security profile of Blackberries, annotated screen prints that give screen shots of security settings on information systems and devices, and the full suite of Adobe Acrobat. "You will become an expert on a Book of Evidence the first time you make one and I've made three by now," Dill says.

A BOE will show proof of updating the risk analysis with introduction of business changes or new information systems; an incident response system that is quick, effective and a repeatable process; that all employees have received timely HIPAA training with their scores available; that appropriate authentication controls are in place; and can even show the receipts for security technology buys such as encrypted hard drives, Dill says.

A "risk register" in Cleveland Clinic's BOE documents the effects of a breach, disaster or other calamities on specific information systems. For instance, in a 14-column scoring table, the clinic assessed the impact of a tornado or high wind event on its data center, identified it was vulnerable to such events, determined a new center was an option, scored the impact of an event in four areas (probability, confidentiality, integrity and availability) ending with a risk score that was unacceptably high, listed specific sections of government regulations and policies covering contingency planning as justification for a new data center, made the decision to mitigate, and in the last column updated the status as the data center was built, completed and occupied.

Not everything in a risk register needs to be fixed. Few organizations have the funds to mitigate all the risks they identify, even the big ones. The risk register lets an organization document that it is aware of risks and mitigating them as much as possible, Dill notes. The money for big projects can be deferred over multiple budget cycles, as the data center was. "You need to show good faith. If you can't do the nines or even the sixes, go do all the twos and threes."

On his Web site, security consultant Tom Walsh, who puts together the annual privacy and security workshop at HIMSS, has page samples of how to document risk assessment and management plans for information systems, including information needed and the best presentation formats. Go to Tomwalshcon-sultingllc.com/Samples.

More for you

Loading data for hdm_tax_topic #better-outcomes...