science-14272_640HIPAA Compliant work requires detailed tickets and checklists

Your Chief Information Officer (CIO) calls you in to say that the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is investigating a hard drive you replaced six months ago for being discarded with 50,000 unencrypted patient records. The fine could exceed $ 1 million. You freeze, and then remember the upgrade and that you followed HIPAA compliant media sanitizing guidance from the National Institute of Standards and Technology (NIST.) You tell your CIO, who simply says, “Can you prove it?”

Having managed technology businesses or departments for over 30 years, I know that I never hired a technician or engineer for his spelling ability or his desire to document his work. While spelling isn’t critical, not documenting work can be fatal to a HIPAA audit or data breach investigation— even if you followed IT Best Practices and HIPAA compliant guidance from NIST. Techs and engineers need to understand that their work is regulated. They need to understand that proper documentation is as important in the IT department as what doctors put in the patient’s chart. Managers need to insist that documentation is saved to prove that HIPAA compliant protocols were followed, and to protect the organization from millions of dollars in fines (not to mention their own careers.)

HIPAA Compliant work must be proven

How could doing the right thing result in millions of dollars in fines? Easy. Most data breaches that are reported to the authorities take time before the investigation begins and you receive a notice. Even if you did the right thing, do you have documentation from months or years earlier to PROVE that your work was HIPAA compliant? Do you have detailed notes from the day the work was done? Do you have reports from systems you used? Do you have signed checklists that showed you followed protocols? Or do you think that your work is done when the task is complete, even if you don’t take time for detailed documentation?

I recently attended a large IT security conference and was shown tools to erase data from hard drives. I asked one of the vendors what reporting was available that would enable me to prove to an auditor—months later— that we had just erased the drive using a HIPAA compliant method. “I suppose you could capture this screen and paste it into an e-mail if you wanted to,” was her answer. I think the vendors could be more helpful by creating automatic reports that include the date, time, erasure methodology, etc. in a clear report that could be attached to your work ticket to prove you were HIPAA compliant.


Hospitals that require doctors to follow simple checklists have reduced or eliminatedHealthcare Acquired Infections. These checklists are simple reminders to highly skilled professionals, who are no longer insulted when someone asks if they have washed their hands or changed their gloves. If doctors can put their egos aside, and take an extra few minutes of their precious time to follow a simple checklist, why shouldn’t a technician be expected to do the same thing to help the organization avoid a large fine for not being HIPAA compliant?

Checklists for common activities should be created in advance and used for EVERY task—equipment deployments, repairs, upgrades, replacement, retirement, etc. Consideration should be made to the protection of data and the specific requirements of the HIPAA Security Rule.

Where an activity takes place should also be noted. Erasing electronic Protected Health Information (ePHI) from a hard drive is best done before the drive is moved. That way, if the drive is lost, you won’t have a reportable data breach. You need a report from the erasure software that shows that the drive was erased at a specific time, and using an approved method. I suggest going further— print out the report, note the location where the erasure took place, sign it, date it, and have a witness also sign and date it. Then scan the signed copy and e-mail it to your ticketing system for easy access if needed at a later date.

When deploying a large group of systems, it is easy to create checklists for each device (including model and serial number) with simple check-offs and room for notes and signatures. This can help ensure consistent quality and these can be scanned into the work ticket as evidence that each itemized HIPAA compliant task was done. Whether you work for an internal IT department or an outsourced IT provider, this evidence may prove useful long after your work has been completed.

Being HIPAA compliant and proving it are two different things. Proving it is what you are being paid for.  It is better to understand that now than when your boss asks you to prove you did the right thing to help your organization avoid a million dollar fine, and you can’t.

"originally written for 4MedApproved"