Corporate Compliance

Q&A: Documenting HIPAA compliance

Compliance Monitor, August 19, 2009

Q: What auditing and documentation is necessary to demonstrate HIPAA compliance?

A: The HIPAA security rule requires covered entities to conduct four types of audits. Three are periodic, and one is annual. The periodic audits include an information systems activity review, user login monitoring, and audit log review (from systems, databases, etc., for storage, use, and disclosure of PHI). The annual audit is called an evaluation and is more commonly known as a compliance audit.

Documentation is a primary requirement of demonstrating HIPAA compliance. Documentation includes retaining written or electronic results of a risk analysis, documenting the results of an audit, developing and implementing comprehensive privacy and security policies and procedures, and documenting staff training and security incident responses.
The nature of this column makes including a complete list of requirements and steps to follow to demonstrate HIPAA compliance difficult. HCPro, Inc., offers several tools to assist covered entities and business associates in complying with HIPAA, including addressing auditing and documentation requirements, at www.
Additionally, free tools and information are available from OCR for privacy matters and CMS for security matters.
Chris Apgar, CISSP, answered this question in the August 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular