Find out what documentation requirements you need in order to implement a HIPAA Compliance Plan in your office using our easy-breakdown, specifications table.
Continuing down the HIPAA Compliance path, we will now provide information on the Documentation Requirements to help you see what is required and what is addressable. Before diving into the next table of implementation specifications, let’s recap what the difference is between required and addressable specifications. A required implementation specification is just like you’d guess: required, meaning you absolutely must implement that specification; there is no getting around it. And, an addressable implementation specification is optional in a sense; it comes with other requirements.
For addressable implementation specifications, you have to determine what is feasible for your office and how to implement each specification if you can. Many of the addressable specifications will come down to your budgetary constraints. Others deal with issues pertaining to certain types of knowledge or skillsets, such as Information Technology, that your team may be lacking. In each of these addressable situations, your organization must document how you are addressing the specifications: accepting the risk for now, working to find a different way to meet the standard, etc. The Office for Civil Rights (OCR) will want to see that documentation if you are audited.
Please note, while many of the specifications are labeled addressable, that does not mean that you can just say that you’ve determined not to mess with that requirement. Take automatic logoffs for example, you would need to document a very good reason for why you can’t have this standard in place to show and explain to an auditor if they found that you decided to not implement it. In most situations, this is a very doable standard, so it should be treated as required. Really, all specifications should be treated as required, and then if you really can’t find an affordable or practical way to meet the specification at your organization, and it’s labeled as addressable, then you can outline why it doesn’t work for you.
It’s time for our last table in this series, the Documentation Requirements:
We’ve now reached the end of our required vs. addressable, HIPAA compliance table series. If you missed any along the way, click here to see our prior posts. If you’re ready to start meeting these HIPAA standards, sign up with HIPAAgps today to get started on your risk assessment and HIPAA Compliance Plan! We provide tools to help you and other health care organizations meet the many required and addressable HIPAA standards seen in these tables.