hipaa documentation requirements

A HIPAA document is more than a policy. It’s proof you care to safeguard patient data.

Brand Barney, SecurityMetrics
By: Brand Barney
A massive chunk of your HIPAA compliance process should be spent recording what you’ve completed. Also known as documentation and largely considered a pain by most people, this process is absolutely necessary for true HIPAA compliance . . . and your own sanity.

Documentation helps others comprehend what has been done, what still needs to be done, and where the problems are in your environment. Documentation is the failsafe that keeps your hands clean, keeps your company transparent, and keeps your security efforts organized.

SEE ALSO: Snapshot of HIPAA and Healthcare Data Security

Why document?

hipaa documentation requirementsWhen a healthcare organization doesn’t have documentation, their HIPAA compliance program is effectively directionless. Without a recorded comparison of last year’s security plan, this year’s efforts are pointless. If done correctly, documentation creates a baseline security standard for every process, workforce member, and system at your organization.

There are four main reasons why proper documentation remains crucial to healthcare organizations looking to reach HIPAA compliance.
  1. Your future: If you document your hard work this year, you’re making next year’s job that much easier. You’re going to save time and money, which means less overall stress for you and your team. I promise updating already existing documentation is much easier than starting from scratch.
  2. Your legacy: If you move on to bigger and better career opportunities, documentation will give your successor a great view into the environment.
  3. The HHS: If the HHS comes knocking, proper documentation is your get out of jail free card. If you can prove how you’re working toward full HIPAA compliance in your documentation, they will likely be more lenient. *Note: Make sure you’re actually implementing the policies you’re documenting. If you haven’t implemented anything in your documentation, this is a major detriment to you, your Protected Health Information, and your organization.
  4. Your security auditor: When I first arrive onsite to audit an organization’s security posture, I know next to nothing about their environment. One of the best ways I can understand more about the location is through reading documentation. If no documentation exists, it makes my job harder and the process more difficult.

How to meet HIPAA documentation requirements

So what are HIPAA documentation requirements?

Many organizations are confused on what exactly they should be documenting and how they should be documenting it. Generally speaking, you should record the who, what, when, where, how, and why of everything relating to Protected Health Information (PHI) in your environment. It should demonstrate in writing where you are today, where you’ve progressed over the years, and what your plan is for the future.

Your documentation should answer questions, such as:
  • What is our security stance in general?
  • What are our risks and vulnerabilities?
  • How secure are our workstations?
  • Do our workforce members understand how to safeguard PHI?
  • What is the state of our location’s physical security?
  • How does BYOD factor into our security strategy?
  • What have we learned during our HIPAA compliance process?
To answer those broad questions, dive into the detailed answers of deeper, more technical questions, such as:
  • Who holds our encryption keys, and how do we secure them? Where are they stored? What are those key holder’s responsibilities and role-based access level?
  • Who has access to our firewalls? How are those firewalls configured? Which systems do those firewalls surround? Are they up-to-date? Do we have a change control process?
  • Do we use FTP? How is it configured? Do we have vendor documentation for FTP?

Documents you should start working on

If you haven’t already guessed, HIPAA documentation requirements go way beyond policies and procedures. If you’re looking for ideas on what you should be documenting at your organization, here’s a list to get you started.
    hipaa document
  • HIPAA Risk Management Plan
  • HIPAA Risk Analysis
  • PHI location documentation (e.g., a PHI map)
  • Notice of Privacy Practices
  • How you’ve eliminated third party risks
  • Software development lifecycles
  • Business associate agreements (BAA) and/or enforceable consent agreements (ECA)
  • How the environment is coping with identified vulnerabilities
  • Incident response plan/breach response plan
  • Current/future goals and milestones
  • Explanation of unimplemented addressable implementation standards
  • Work desk procedures
  • Training logs
  • Compliant processes and procedures
  • List of authorized wireless access points
  • List of all devices including physical location, serial numbers, and make/model
  • Electronic commerce agreements
  • Trading partner security requirements
  • Lists of vendors
  • Lists of employees and their access to systems
  • Diagram of your physical office, including exit locations
  • Disaster recovery book
  • Employee handbook
  • Policies and procedures for the Security Rule, Privacy Rule, and Breach Notification Rule

Maintenance is your friend

The biggest disservice you could do while meeting HIPAA documentation requirements is to spend weeks gathering paperwork, and then place it on a shelf until next year.
HIPAA documentation is only as good as its accuracy.
In order to keep your HIPAA document collection up to date, you must constantly revise and add to it.

Just like all your other weekly activities, documentation should be an ongoing part of your entire business-as-usual security strategy. Try to examine and adjust at least one piece of documentation each week. Don’t pile it into one day, or one month at the end of the year.

Need help with your documentation? Let me know, I can help!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

hipaa learning center, SecurityMetrics