HIPAA Survival Guide Newsletter March 2017: Issue 87
Your HIPAA Compliance Companion
Showing HHS Visible, Demonstrable, Evidence
|This article will address the kinds of visible, demonstrable, evidence ("VDE") that your organization should be prepared to show HHS during an audit. It will also discuss what a business associate ("BA") should be prepared to show a covered entity ("CE") when the former is asked by the latter to show proof of compliance. Of course, as you might expect, there is potentially a significant overlap between what a stakeholder might show HHS or a CE (respectively "Requestor"). However, what is shown to a Requestor could also vary widely as discussed herein.
As a threshold matter, you should be prepared to discuss VDE regarding something that is not found in HHS' audit protocol; that is, VDE pursuant to the methodology your organization has put in place to ensure coverage of all compliance requirements and, moreover, the methodology that will help a Requestor understand your organization is serious about pursuing a culture of compliance. In other words, the VDE that you show a Requestor should all fall within a compliance framework that is underpinned by your methodology. Showing VDE pursuant to your methodology helps frame the discussion in a manner that creates the desired perception of your organization commitment to your HIPAA compliance initiative ("HCI").
The principal takeaway from our discussion thus far is that you are not simply "throwing documents" at a Requestor, but rather those documents you provide should demonstrate VDE and fit within a well thought out approach that governs your organization's thinking pursuant to the entirety of your HCI. We can assure you, with a high degree of confidence, that initiating the conversation with the Requestor in this manner, not only sets the proper context, but more importantly goes a long ways toward influencing the Requestor's perception that your organization is one-hundred percent (100 %) committed to your HCI, or any compliance initiative for that matter.
For the purposes of this article, we will take a more business like approach as to what you should be prepared to show a Requestor as compared to the voluminous (and at times indecipherable) requirements contained within HHS' Audit Protocol Revision 2 (circa April 2016; click here to download the protocol as a PDF). We will break down the documents according the the individual Rules: (1) Privacy Rule; (2) Security Rule; and (3) Breach Notification Rule.
For the purposes of the article we are "tree topping" the kind of VDE required for each Rule. The intent is that you should be able to quick review the documents and categories proffered in the article and determine if your organization is indeed meeting these requirements. It should provide you a quick reality check as to where your HCI current stands.
The Privacy Rule: You should be prepared to show the following documents and document categories:
- A methodology for determining when the Privacy Rule has been violated.
- The ability to process Authorizations according to the Omnibus Rule.
- Omnibus Rule compliant Notice of Privacy Practices.
- Omnibus Rule compliant Restriction Requests.
- The ability to process requests for access to PHI.
- The ability to process requests for amendments to PHI.
- The ability to process requests for an accounting for disclosures of PHI.
- Demonstration of a named Privacy Officer with his/her personnel file updated.
- Policies and procedures at the granularity level of a requirement.
- The ability to track process results at the granularity level of a requirement.
- A training program for your entire workforce.
- A specialized training program for certain individuals within your workforce.
- Business Associate Agreements.
The Security Rule: You should be prepared to show the following documents and document categories:
- A methodology for determining when the Security Rule has been violated.
- Policies and procedures.
- Risk Assessments report for one more risk assessments.
- Demonstration that you have implemented an evergreen Risk Mitigation framework (See NIST SP 80-37 R.1).
- Sanction policy.
- Ability to track system activity logs.
- A named Security Officer with his/her personnel file updated.
- Workforce Security Processes.
- Security Awareness Training across the organization.
- Security Incident Tracking.
- Contingency plans for: (a) disaster recovery; (b) emergency mode operations; and (c) Application Criticality.
- Technical controls to support all of the above.
- Physical plant and equipment controls.
- Business Associate Agreements.
The Breach Notification Rule:
- A methodology for determining when Breach Notification is triggered.
- Model letters to notify patients.
- Model letters to notify major media when required.
- Model letters to notify the Secretary of HHS.
- The ability to document Security Incidents.
- Timeliness of reporting for CEs.
- Timeliness of report of BAs.
1. Compliance always exists along a continuum where full compliance is often nothing more than an aspiration goal.
2. Compliance is a journey and not a destination, which implies the creation of a culture wherein compliance is something you do as part of your organization's mission and not as some necessary evil.
3. Compliance is not an abstraction but rather is always manifested at the granularity level of a requirement.
4. For each requirement you need the following three things to demonstrate visible demonstrable evidence:
4.2 Processes the underpin your Polices;
4.3 the ability to track process results.
5. Agile is the only compliance methodology that matters; all others are anachronisms that belong in the dustbin of history because they are woefully inadequate for a rapidly changing complex world.
6. Every compliance regime is a wicked problem that contains an order of magnitude more organizational complexity than technical complexity, however the latter is ever present and almost always nontrivial.
7. The only way to improve an organization's compliance narrative is to improve its ability to produce visible, demonstrable, evidence of compliance over time, at the granularity level of a requirement.
8. Checklists that provide suggested policies, processes, and tracking mechanisms at the granularity level of a requirement prove invaluable because compliance regimes are (almost always) descriptive and not prescriptive (i.e. requirements inform you as to what should be done but not how to do it).
9. Analytical frameworks and modeling (often one and the same thing) are proven educational transfer vehicles when deciphering the meaning and/or intent of a requirement.
10. Scorecards based on specific requirements are the only way to measure progress of your compliance initiative (i.e. by definition, if you are in compliance with all the requirements of a regulatory regime then you are in compliance).
HIPAA Survival Guide New Product Release
Do you need a Contingency Framework?
The HIPAA Security Rule requires that your organization comply with its Contingency Standard (i.e. "Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.")
The Contingency Framework has five implementation specifications:
1. Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
2. Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
3. Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
4. Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
5. Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
Our Contingency Framework
Our Contingency Framework ("Framework") offers guidance for complying with this standard. With the Framework, you'll be able to determine what you need to do in order to satisfy these five implementation specifications ("Controls"). In addition, you are provided templates that help you mitigate the risks posed by the absence of these Controls. These Controls are now generally referred to as "Business Continuity." Business Continuity is a very complex topic; however, similar to the manner in which other wicked problems are attacked, the most important thing that any organization can do is to fail forward fast; that is, to put a foundational solution in place and then proceed to refine it over time as specific requirements manifest.
for more information about the Contingency Framework
*Currently Available to HIPAA Survival Guide Subscription Plan Holders
HIPAA Requirements for the
including Policies and Procedures
HIPAA Survival Guide Subscription Plan
The HIPAA Survival Guide Subscription Plan
Now Includes Expresso® The Risk Assessment Express
Expresso® is an easy to use Risk Assessment software that allows you to identify security objects, risks, threats and vulnerabilities to identify impacts and assign controls at a glance!
allows you to do a Baseline Risk Assessment in 3 Hours or less!
Our "Quick Start Guide" gets you off and running to complete your first Risk Assessment. Expresso® comes pre-populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete a Baseline Risk Assessment.
1) Perform a Baseline Risk Assessment in a matter of hours
2) Bulk import Security Objects (people, places, assets, processes and other things that Security
Controls are applied to)
Expresso® will allow you to do all of the above, and so much much more! In addition the HIPAA Survival Guide Subscription Plan also includes Policies and Procedures that can be customized for your organization.
Protect Your Practice and Your Business
|Click Here for HIPAA Survival Guide Subscription Plan Testimonials
Give Your Organization's Compliance Initiative The Boost It Needs To Survive A HHS Audit With The HIPAA Survival Guide Subscription Plan With Expresso®