Friday, August 09, 2013

SOP Friday: HIPAA Part Three - Documentation

So far we've looked at HIPAA Training and HIPAA Compliance. This week the topic is HIPAA Documentation. See the first HIPAA post for terminology and the second for a graphic on the steps to a great HIPAA compliance program.

Documentation is the most important piece of HIPAA compliance for you and for your clients. The rules are very clear: If you do everything right and don't document it, then you are out of compliance. Luckily, the requirements for small covered entities (doctors, etc.) and business associates (you) are not overly burdensome. See the documents at the Health and Human Services web site, especially the PDF "Security Standards: Implementation for the Small Provider."

Start With Yourself

Before you go sign Business Associate Agreements (see the first two posts on HIPAA), you need to make sure you are compliant. Assuming you are a pretty normal I.T. consulting company, you don't handle individually identifiable patient health information (patient records) in your office or one your computers, tablets, USB keys, or phones. In other words, there's nothing in YOUR office or possession that is protected information. So documenting your compliance is pretty straight forward.

You need to document how you handle protected information (in paper or electronic format) when you are providing service to the covered entity. Again, in most cases, you "handle" this information only when you are working on client computers or moving data. But you almost never see any actual patient information (hence the term "individually identifiable" patient health information).

So you need a tiny little binder that you can keep in your office. In that binder you need some kind of documentation that shows you have been trained on HIPAA. This could even be self-training by reading official government web sites. But you need to document it.

Next you need a statement about when and where you might have access to individually identifiable patient health information and how you handle such information. Again, this can be a paragraph or two typed up, because you just don't have much exposure.

Finally, you need copies of your Business Associate Agreements that you've signed with all clients.

Everything needs to be dated.

That's it for you. Basically, you need to be able to hand that binder to someone who wants proof of your HIPAA compliance.

Documenting Covered Entities

Covered Entities are a little more complicated because they obviously do have individually identifiable patient health information and access it every day. Remember the three components: training, compliance, and documentation. You'll need a slightly larger binder for your clients.

First, you should have a section where you document each employee's training. Whether this was provided by you or someone else. If you hold a company-wide training, you simply need to describe that in a paragraph and list the employees who attended. For on-going training after that, the client will need to make sure this section is kept up to date.

Second, you need two sections on compliance. The first is a section on technical compliance (related to the HITECH Act - Health Information Technology for Economic and Clinical Health Act). The second is for client procedures about how their office operates. Luckily, you (probably) only have to be involved in the first.

HITECH compliance consists of describing how data are handled, encrypted, etc. and how breaches are handled. For small offices this is not complicated. Electronic medical records (EMR) are going to be inside whatever software the client is using to manage their office. You need to describe how this information is stored, managed, and moved. By "describe" I also mean describing what you've put in place to make sure the client is complying with the HITECH Act.

The client's section on compliance has more to do with the daily procedures of the office. This includes physical barriers so that patients cannot hear conversations, view other patients' charts, etc. It also includes copies of forms that might be used, including a patient privacy policy. Information in this section of the binder is outside the authority of the HITECH Act and you can avoid responsibility for it by simply limiting your services to compliance with the HITECH Act.

Third, the binder needs a section on documentation. The binder itself is documentation, of course. But you need more. You need to put all HIPAA related policies, procedures, and documents here. This includes physical descriptions of how data are handled. It also includes copies of all signed Business Associate Agreements.

Finally, you should have procedures in place to make sure that employee training is maintained, data handling procedures are followed, and documentation stays up to date. Personnel changes are a key piece of this. When someone new is hired, they need to be trained in company procedures and HIPAA generally. And that needs to be documented in the binder.

It's Just Another Day . . .

Many techs I've talked to are worried about HIPAA and concerned that they won't be able to take on the challenge of helping clients with HIPAA compliance. But don't panic. This is just another in the woods.

The I.T. business is always changing. And it changes fast. If you've been in business five years, you've seen major changes already. And if you've been in business ten or fifteen or more years, the changes huge. We all learned the skills that got us where we are. So now we need to learn some new skills.

The biggest challenge seems to be getting doctors and other covered entities to follow the law. I'd love to hear any strategies you have for that!

Everything else is just an opportunity to expand your services and make more money.

Comments welcome.

- - - - -

Pinterest Resource for You

I've created a Pinterest board where I'm posting information on HIPAA compliance and fines. It's a place you can point your medical clients to if they tell you that there's no enforcement and they have nothing to worry about.

It's at:

- - - - -

About this Series

SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.

Find out more about the series, and view the complete "table of contents" for SOP Friday at

- - - - -

Next week's topic: Trip Charges


Check Out the #1 ranked Managed Services book at Amazon:

Managed Services in A Month
by Karl W. Palachuk

2nd Edition - Newly Revised and Updated with NINE new chapters

Only $24.95. The best deal in managed services today!

Order Today!



  1. This is more of a question than a comment. I have several clients that are using cloud based EMR solutions. They access their EMR through a secure connection on their workstations and a few through laptops. The laptop travel outside of the clinic and are used to access the EMR solution from their home or another clinic. The login access varies from just a web based login to a secure citrix or RDP login. My question is:
    Do these laptops still need to be encrypted since they have 'access' to PHI but don't 'store' PHI? I know encryption is not a requirement but if a laptop is encrypted and lost or stolen it does not need to be reported as a breach. I am having trouble tracking this information down. Thought you could help and point me in the right direction.

  2. Good question, Jason. To answer the question, look at it from a slightly different angle: If I found this laptop, would I be able to access PHI? At first glance, I see three ways that I could:

    1) Data sits unencrypted on the laptop

    2) Data is encrypted on the laptop but no passwords are required to access it

    3) No PHI data is not on the laptop, but such data is accessed through a "secure connection" whose credentials are remembered in the user profile and therefore not requested when a connection is made to the web site, Citrix connection, or RDP login.

    If this is an accurate picture of the environment, you need to develop a training for laptop users, implement a policy, document the policy, and document training. The policy might look something like this:

    "All laptop users must log on with a domain username and password, which must not be stored on the machine.
    No protected health information may be stored on the laptop.
    PHI may only be accessed via secure web based login to a secure citrix or RDP login. Logon credentials must not be stored or automatically entered when accessing a secure site.
    All laptop users must receive a training on this policy and sign a verification that they have read this policy."


Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!