Health Information Management

HIPAA Q&A: HIPAA compliance documentation

HIM-HIPAA Insider, December 28, 2009

Q. What auditing and documentation is necessary to demonstrate HIPAA compliance?

The HIPAA security rule requires covered entities to conduct four types of audits. Three are periodic and one is annual. The periodic audits include an information systems activity review, user login monitoring, and audit log review (from systems, databases, etc., for storage, use, and disclosure of PHI). The annual audit is called an evaluation and is more commonly known as a compliance audit.

Documentation is a primary requirement of demonstrating HIPAA compliance. Documentation includes retaining written or electronic results of a risk analysis, documenting the results of an audit, developing and implementing comprehensive privacy and security policies and procedures, and documenting staff training and security incident responses.

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Most Popular