What Documentation is Required to Pass a HIPAA Audit?

February 25, 2021
Documentation-Blog

Let’s face it – in today’s digital environment, the risks of a HIPAA data breach have increased significantly, and so have the chances of getting a full scale Office for Civil Rights (OCR) HIPAA Audit investigation (if you doubt us, just look at last year’s historic fines to see what the OCR does – $$$ & non-compliant providers). If the worst should happen, how can you show your practice had the right HIPAA policies and requirements in place beforehand? Documentation, documentation, documentation. 

So the big question: if the OCR walked into your practice right now, would you know exactly what documentation to hand over? No need to raise your hand if you aren’t quite sure – you’re not alone. In fact, the latest HIPAA Industry Audit Report found that most practices don’t know where HIPAA documentation even begins (fun fact, several audited practices provided totally irrelevant documentation like patient’s insurance prescription coverage instead of their Security Risk Analysis documentation). The word ‘HIPAA’, doesn’t need to conjure the image of a bulky binder collecting dust in a filing cabinet to mind however – and, when done right, can be quite the opposite.  

The next question? What documentation do you actually need to have – and luckily we have the answers. While each practice will vary a little based on your size and type, here are the absolute must-haves when it comes to HIPAA:

  • Technical, Physical and Administrative safeguard-related policies and procedures (that are up to date AND specific to your practice)
  • A Notice of Privacy Practices (which should be posted publicly to your website as well)
  • Patient Authorization Forms for disclosing protected health information (PHI)
  • An updated and ongoing Security Risk Analysis (at minimum, you should have one complete SRA per year)
  • Signed Business Associate Agreements with all third-party vendors your practice works with that have PHI access
  • Certificates of completion for HIPAA employee training (completed on a yearly basis, and should encompass both staff AND doctors)
  • Employee onboarding and termination procedures
  • Disaster recovery and contingency plans
  • IT security system records (such as audit trails and access records of all ePHI and PHI)
  • Patient Health Data Request Forms if your practice chooses to accept written requests for medical records 
  • Incident and Breach Notification documentation
  • Asset logs for all devices containing electronic protected health information (ePHI)
  • Access log that includes the name, date of access, and access type for any business associate or individual who was given access to your database or PHI
  • Media consent forms if your practice uses any patient images or testimonials for marketing purposes  

In addition to the lengthy list of ‘must-haves’, there are stipulations for the length of time your practice needs to have this documentation on hand. HIPAA law requires practices to keep the above documents for a minimum of 6 years, or longer depending on state-specific laws

Once you have all the above, you need to actually be able to find it, and have it in a format you can easily share with your friendly neighborhood auditor. An electronic HIPAA manual not only takes up a whole less room than a bulky binder does, but it also is much more efficient to keep up to speed especially as HIPAA laws are constantly being updated. 

The icing on the cake when it comes to passing an audit? Having an outside HIPAA resource to interpret the OCR’s audit related documentation requests. There’s a lot the OCR could ask for (trust us, we know first hand) so make sure to consult with your legal team or HIPAA resource (hint hint) if you ever get that dreaded OCR letter.