Policies, Procedures and the Book of Evidence

Video 20 of 27
1 min 34 sec

In this lesson, we'll be covering HIPAA policies and procedures (aka: The Book of Evidence), including what the Book of Evidence should consist of and one very important key point to remember when putting together your own Book of Evidence. At the end of the lesson, we'll provide you with a Word about how to become HIPAA compliant.

Every business or practice that has access to PHI and ePHI is required to have a set of policies and procedures in place on how to handle all protected health information. This set of policies and procedures is what we refer to as the Book of Evidence.

Pro Tip #1: One important thing to remember about your Book of Evidence is that it must be customized to your own unique snowflake that is your business or practice. Yes, downloadable online templates are available. And yes, using them is a very bad idea. Your own Book of Evidence must be relevant to your own exact business.

What Should a Book of Evidence Include?

Without spoiling the ending, any thorough Book of Evidence should include:

  • The responsibilities of the covered entity or business associate
  • The use and disclosure of the PHI they have access to
  • The individual rights of patients (if pertinent)
  • How to handle a breach of protected health information

Pro Tip #2: Your Book of Evidence must be present – in the office of the business or practice – and must be provided to the Office for Civil Rights should they ever request to see it. Your Book of Evidence also must reflect the dates of the latest changes to the law. We also recommend storing a copy online or through a local network for disaster recovery and business continuity purposes.

There is a common misconception that a Book of Evidence is one size fits all. Again, it's not! It must be customized to fit your own unique business or practice.

Also, don't forget to store a printed copy on site and a copy at an offsite location or cloud-based location.

A Word About How to Become HIPAA Compliant

Before getting into how to become compliant, it may be best to answer the question, what is HIPAA compliance? HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Typically, the next question is, what are the HIPAA compliance requirements? That question is not so easy to answer as some of the requirements of HIPAA are intentionally vague. This is so HIPAA can be applied equally to every different type of covered entity or business associate that comes into contact with PHI.

While it is possible to use a HIPAA compliance checklist to make sure all aspects of HIPAA are covered, it can be a difficult process for organizations unfamiliar with the intricacies of HIPAA Rules to develop a HIPAA compliance checklist and implement all appropriate privacy and security controls.

However, you will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates all of the technical, administrative, and physical safeguards of the HIPAA Security Rule. You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules.

If you get anything wrong and fail to safeguard ePHI, as a HIPAA business associate, you can be fined directly for HIPAA violations by the HHS' Office for Civil Rights, state attorneys general, and other regulators. Criminal charges may also be applicable for some violations. HIPAA compliance can, therefore, be daunting.

To ensure you cover all elements on your HIPAA compliance checklist and leave no stone unturned, it is worthwhile seeking expert guidance from HIPAA compliance experts. Many firms offer HIPAA compliance software to guide you through your HIPAA compliance checklist, ensure ongoing compliance with HIPAA Rules, and provide you with HIPAA certification.