HIPAA Audits: Documentation TipsCleveland Clinic's Security Leader Shares His Strategy
While the Cleveland Clinic was not one of the 115 covered entities audited by the Department of Health and Human Services' Office for Civil Rights during the 2012 pilot HIPAA security audit program, the healthcare provider is gathering risk assessment documentation and other evidence that OCR might request in any potential HIPAA security review.
"We're choosing to be proactive and have our documentation in a relatively ready state," says Dill, Cleveland Clinic's information security director, in an interview with Information Security Media Group. "We've heard stories of early audits where boxes of paper were thrown at a regulator, and that will just annoy [HHS], which pays a large percentage of the revenue of many hospitals and providers" though the Medicare and Medicaid programs, he says.
OCR officials have said a permanent HIPAA security audit program is expected to begin sometime after the start of fiscal 2014 on Oct. 1; it will include business associates as well as covered entities. Under the HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance.
Of the 115 covered entities audited in last year's pilot program, two-thirds had non-existent or inaccurate risk assessments, OCR officials have said.
In addition to random HIPAA audits, OCR often also evaluates the status of organizations' HIPAA compliance as part of the office's data breach investigations.
Role of Repository
Dill recommends creating a centralized documentation repository that builds a book of evidence based on what other organizations have been asked for in HIPAA security audits and other OCR investigations. "Document all your risk management decisions" and make that part of the document repository, he urges.
To assist with documentation, Dill uses Microsoft Office Suite, SharePoint, and the full version of Adobe Acrobat "so that I can bookmark," he says. That practice can help put all important details and evidence in a easy-to-retrieve format that "won't break the bank," he adds.
Documentation related to an organizations' enterprise risk analysis is important, he says, considering that the initial round of HIPAA compliance audits conducted in the pilot program showed that many covered entities do a poor job conducting thorough and timely risk assessments.
"It's hard to believe that some of the first 115 [audited organizations] have been caught without that documentation," Dill says.
In the interview, Dill also discusses:
- Ways to help ensure risk assessments are timely and thorough;
- Other documentation that should be part of a centralized repository for HIPAA compliance evidence;
- The other types of HHS investigations for which healthcare organizations should be well-prepared.
Cleveland Clinic is a multi-specialty academic medical center with more than 3,000 physicians and scientists; it has more than 5 million patient visits annually.
Dill has worked in information security at the Cleveland Clinic for more than 20 years, including the last 13 as its director of information security. In that post, Dill is responsible for the deployment of information security and disaster recovery best practices and regulatory compliance. He has more than 25 years of IT and technical management experience, with a focus is on implementing strategic and tactical security initiatives.