Why You Need a HIPAA Book of Evidence

With the HHS Office for Civil Rights expected to soon launch its HIPAA audit program, it’s worth considering creating a Book of Evidence on your organization’s compliance with HIPAA privacy, security and breach notification rules.


At a HIMSS Conference presentation in New Orleans in early 2013, Mark Dill, director of information security at Cleveland Clinic, walked through creating a Book of Evidence on an organization’s compliance with HIPAA privacy, security and breach notification rules.

With the HHS Office for Civil Rights expected to soon launch its HIPAA audit program, let’s take another look at what Cleveland Clinic did.

Creating a Book of Evidence is not difficult, only takes a couple of weeks, and helps an organization not be overwhelmed if it's selected for an audit, Dill said. Once notified of an audit, "the clock is ticking" and an organization likely will only have about two weeks to compile and submit volumes of documentation.

Perception is reality. You can send organized and easily navigated electronic files of just the information requested with hyperlinks to specific documents, or you can send boxes and boxes of paper and hope HHS staff won't be too angry, he notes. “If you look disorganized, HHS will think you are,” Dill asserted. An organization may be able to avoid an on-site visit just by the quality of data it sends to OCR, or at least can minimize the time spent on site, which avoids auditors finding more issues.

Dill primarily relied on Microsoft SharePoint to populate, organize and store HIPAA policies, procedures and documentation of compliance. Building a Book of Evidence, or BOE, starts with homework-critiquing your risk analysis; reviewing HHS guidance documents from OIG, OCR and CMS; and reviewing healthcare breach trends to learn which risks the government is most concerned about.

Other tools for the BOE include Microsoft Office Suite, privacy and security reporting tools such as being able to show OCR a security profile of mobile devices, annotated screen prints that give screen shots of security settings on information systems and devices, and the full suite of Adobe Acrobat. "You will become an expert on a Book of Evidence the first time you make one and I've made three by now," Dill said.

A BOE will show proof of updating the risk analysis with introduction of business changes or new information systems; an incident response system that is quick, effective and a repeatable process; that all employees have received timely HIPAA training with their scores available; that appropriate authentication controls are in place; and can even show the receipts for security technology buys such as encrypted hard drives, according to Dill.

A "risk register" in Cleveland Clinic's BOE documents the effects of a breach, disaster or other calamities on specific information systems. For instance, in a 14-column scoring table, the clinic assessed the impact of a tornado or high wind event on its data center, identified it was vulnerable to such events, determined a new center was an option, scored the impact of an event in four areas (probability, confidentiality, integrity and availability) ending with a risk score that was unacceptably high, listed specific sections of government regulations and policies covering contingency planning as justification for a new data center, made the decision to mitigate, and in the last column updated the status as the data center was built, completed and occupied.

Not everything in a risk register needs to be fixed. Few organizations have the funds to mitigate all the risks they identify, even the big ones. The risk register lets an organization document that it is aware of risks and mitigating them as much as possible, Dill said. The money for big projects can be deferred over multiple budget cycles, as the data center was. "You need to show good faith. If you can't do the nines or even the sixes, go do all the twos and threes."

More for you

Loading data for hdm_tax_topic #reducing-cost...