How I learned to stop worrying and love HIPAA: Part 2

From Part 1, you have a sense of what counts as Protected Health Information (PHI) and how to conduct a Risk Assessment to understand the risks to those data.

So you’ve already had your first taste of HIPAA’s documentation needs. Document it, or it didn’t happen!

Here’s how we break down our documentation:

• Risk Assessment spreadsheet to determine what you should be worrying most about — discussed in Part 1.
• Policy docs — these describe and dictate everything about how you’ll operate to abide by HIPAA’s rules. There’s a great deal to be said about this — you could start by looking at Catalyze.io’s open sourced policy documentation. [Note that they’re a PaaS provider — in other words, they host but do not directly collect PHI, so you’ll certainly need to rework things for your needs.]
• Training — you need to document that your employees have received regular training, and that they’ve internalized the important points. It’s tempting to just show them an excruciating PowerPoint presentation once a year and call it done, but you know deep in your heart that this is security theatre. At the very least, employees who have access to PHI should go through training when they start and then annually. And if you don’t test that they know what they’re supposed to, they probably don’t. This should all be documented in your Workforce Policy, of course. We try and make the multiple choice answers in our quiz darkly humorous, in a bid to keep people’s attention.

From the Sleepio HIPAA Training Quiz.

• Data Access Record — according to our Minimum Access Policy, we want to make sure that employees have access to just the data they need in order to do their jobs. The Data Access Record is a Google Spreadsheet with each employee as a row, and each type of PHI they can access as a column. If there’s a ‘Yes’ in any of those columns, they’re required to undergo training, and there’s a column to show when that happened last. [See below re permissions and BAA]
• A ‘Business Associate Agreement’ (BAA) ensures that anyone who’s dealing with someone else’s PHI has to take care of it. For instance, if we were providing Sleepio to a hospital, they’d be the Covered Entity (the top of the HIPAA chain) and we’d be their Business Associate. The BAA would require us to take care of their data. If we then use a vendor (e.g. a hosting provider) or other subcontractor to help us provide those services, we in turn need to sign a BAA with them, to pass on those requirements. You also need to assess that they are sticking to what they agreed in the BAA. This is a neat kind of virality that spreads HIPAA’s protection to anyone handling PHI — there needs to be a BAA for each link in the chain.
• Incident Reports. Let’s say a laptop gets stolen, or some other security incident occurs. Your well-trained colleagues should immediately let the Security Officer know, who determines whether this counts as a breach. If so, your Incident Response Policy determines how you escalate things. Hopefully, the laptop was encrypted, passworded and holds no PHI, so this wouldn’t count as a breach, and you can just document that it happened and why you’re confident it’s not serious. Of course, if it wasn’t encrypted and contained PHI, you’ll pay the price — now you need to begin your Incident Response, notification and other procedures. HIPAA is fairly specific about how you need to respond and who you need to notify.
• Audits and processes. HIPAA is a journey not a destination. You’ll need to continually audit yourself over time to ensure you’re staying compliant, and record everything. We use a kind of internal Audit & Reviews Blog, where we post results for all of our quarterly and annual reviews in reverse-chronological order. After all, if the OCR decide to check your compliance, they’ll request all of this, and if you didn’t document it, it didn’t happen.

Tools:

• You need to maintain these records for 6 years (more if you take state laws into account). We use Google Docs for its sharing, collaborative editing and revision history. However, Google does not promise to store all revisions for all time, and so we archive our HIPAA Policies & Docs folder as a new .zip file every year. If you use Google Docs to store any PHI, make sure to sign a downstream BAA with them!
• For your most critical records, like the Data Access Record, lock down the editing permissions to just a couple of administrators. It’s important that these are accurate, and that they can’t easily be tampered with by an attacker or disgruntled employee.
• Your HIPAA policies will require you to juggle various quarterly and annual reviews and audits. Set up a shared Google Calendar that defaults to email notifications, and then you can add recurring events like ‘Annual Training review (Greg)’ to denote what needs to happen, when, and who’s responsible.

As you can see, you’ll need sharp pencils to get to meaningful HIPAA compliance. And though you’ll bemoan the onerousness of writing the policies and paperwork, they serve a valuable purpose — you’ll be running a much tighter and more self-aware ship by the time you’re done.

In Part 3, we’ll consider some of the Security Rule requirements.