The Role of Documentation in the HIPAA Program

Providers spend a lot of time talking about how to improve the quality and timeliness of service documentation but there is another type of documentation that deserves our attention as well. Without proper and sufficient documentation it is nearly impossible to maintain an effective HIPAA program. If a provider experiences a breach that impacts more than 500 people, or if there is a complaint to the Office for Civil Rights (OCR) the provider will have the opportunity to show the OCR how robust the privacy/security program is and to establish how effective the program is when it comes to meeting the requirements of HIPAA and HITECH. The absolute best way to illustrate this for regulators is through solid and complete documentation that shows how the HIPAA program is “alive and well” on a daily basis.

As has been stated previously in this blog, there are two types of providers, those that have had a breach and those who don’t know they have had a breach. HIPAA breaches are simply a fact of life for community providers and it is essential to properly document the response from the very beginning. Every Privacy Officer should maintain a log that details the date, time and nature of each and every potential breach, regardless of the size. It doesn’t matter if only one person is impacted or if the PHI of hundreds of clients has been disclosed, every potential breach incident should be logged in order to ensure the integrity of the program.

But logging the incident is not enough; when a potential breach or impermissible disclosure is brought to light, it is time for the investigation policy to kick in. Documentation of how the investigation was conducted, who was interviewed and how a determination was made is essential for showing the provider truly does have, and follow, an effective HIPAA compliance program. The old proverb “if it isn’t in writing, it didn’t happen” applies in this situation. The OCR expects providers to maintain documentation to show the HIPAA program is more than just a policy that sits on the shelf. The life of a community provider moves pretty fast and can be hectic at times and it is easy to deal with an incident on the fly, so to speak, with the intent to catch up the documentation later, but that can be a dangerous proposition because often the documentation never happens.

Ensuring proper documentation for each step in the investigation and resolution process will pay great dividends in the event of an OCR investigation. Even more important though is the fact that providers that have the discipline to properly document all potential breach incidents have a much more effective HIPAA program which leads to fewer incidents.