HIPAA Survival Guide Newsletter November, 2020

Visible, Demonstrable Evidence

"The only way to improve an organization’s compliance narrative is to improve its ability to produce visible, demonstrable, evidence of compliance over time, at the granularity level of a requirement.
To demonstrate compliance with a legal Requirement, like the many associated with HIPAA an organization must not only provide results of a comprehensive Risk Assessment but also must be able to provide visible, demonstrable evidence (“VDE”) for each Requirement mandated by the Compliance regime. Compliance is not an abstraction. You can only comply at the granularity level of a Requirement.
For each Requirement, you must be able to show the following:
1.   A Policy;
2.   A set of organizational Processes that underpin said Policy; and
3.   Evidence that your organization has implemented Process results for each Requirement.
Most (if not all) complex regulatory Regimes require a persistent effort over time to build a “good compliance story.” The story requires the ability to demonstrate VDE coverage for all Requirements, with improvements as needed. Without VDE, it is impossible to say whether you are compliant with a Regime and, moreover, the state of that compliance. Scorecards, discussed below, require measuring progress at the granularity level of a Requirement and provide insight into the organization’s level of compliance.
When you undergo an audit or participate in some other legal or administrative proceeding, the inquiries are guaranteed to be targeted at specific Requirements. If you have a methodology in place for attacking and measuring a Regime’s Requirements, then you are going to be much better off than your colleagues. In general, your Compliance initiative will be measured against those of other organizations of the same size, complexity, sophistication, and resources. For example, in the HIPAA space, a small ambulatory practice’s initiative will not be compared to that of a mega-hospital. Why? Because what the latter does by way of compliance is likely to impact a greater number of stakeholders, thus increasing the risk that if something goes wrong, it will go wrong at scale. Furthermore, a large hospital has significantly more ePHI touch-points than a small ambulatory practice; therefore, risk remediation may not be addressed at the same level for a small organization as it will for a large one.
That said, there is no “HIPAA lite” for small ambulatory practices nor business associates. Everyone is required to produce VDE for each Requirement. When (not if) you have a Breach, your Compliance initiative will be under a microscope. Ignore basic Requirements and you are certain to be found in willful neglect; which under HIPAA means Civil Monetary Penalties (“CMPs”) that start at $50K per violation. It will ruin your day. If you have not taken your Compliance initiative seriously then the authorities are going to have a “field day.” Your counsel, instead of making a compelling argument of your good faith efforts to comply, will end up begging for favors to get the CMP reduced. Also, consider the fact that the CMP is not the worst of your economic nightmares. You will face remediation costs, Breach Notification costs, legal costs, reputation damages, etc. In extreme cases “heads will roll”— potentially including the CEO. Although this example uses HIPAA, it is applicable to all Regimes that require Breach Notification; just change the names to protect the guilty.
On the other hand, if you can show VDE for most Requirements, and a corresponding methodology for measuring progress over time, then you will still have a bad day, but it may not be ruinous. Your counsel will have a solid foundation for arguing that CMPs should be reduced. Other than Breach costs (which will no doubt still be significant) you may be able to minimize or eliminate any willful neglect costs.