This is the second part of my series on HIPAA compliance tools, apps and hardware. This week I focus on the NIST HIPAA Toolkit.
Creators: The National Institute of Standards and Technology is a part of the US Department of Commerce. NIST’s stated mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” In other words, this is government funded research aimed towards producing useable products, papers, and technology for anyone to use. NIST also co-hosted a conference in 2014 with OCR to discuss HIPAA Security rule issues.
Look and Feel: This tool is as utilitarian as you would expect from something that was funded by the US Government. It does not have splashy graphics, complex reporting or some of the features you might see in traditional for profit applications. That said, what this program lacks in pretty, it makes up for in pure unadulterated HIPAA horsepower. Once you have created a survey, the dashboard serves as a step by step walkthrough survey of the HIPAA statute beginning with 45 CFR 164.308 through 45 CFR 316. The program works on Mac, Linux and Microsoft platforms.
Under the Hood: All told, there are 809 survey questions in the enterprise version and 492 in the standard version. The primary difference being how in depth you want to get. I used the enterprise version for an umbrella company and the standard edition for the subsidiaries/sister companies. Each question is geared towards asking, at least in theory, exactly what a HIPAA OCR auditor would ask your company in the unfortunate event you are being audited. For example:
“Has your organization defined the frequency of your Risk Assessment policy and procedures reviews and updates? “
As you can see, this question is paired with a very basic response of Yes, No, or Not Applicable. In addition, you can flag the question for importance on a color/number scale and make comments. Another very impressive feature of this tool is the ability to upload the documents/policies that support your answer to the question. The feel of survey is that an auditor would use something very similar to run a company through the ringer.
Use: As you work your way through the survey, you will, almost inevitably, find glaring holes in your documentation. That is ok, if you note the misses and keep going, you can run a report that allows you to draw out questions based upon level of completeness or flag level. Ultimately, you can run a report that would, in theory, demonstrate full documentary HIPAA compliance at the click of a button for Administrative, Technical and Physical Safeguards.
A couple other neat features worth pointing out, the survey itself is saved in a .xml format that can be accessed across networks. This means different offices, such as privacy office and security office, could work on the same survey in different locations by importing the .xml file back and forth. The .xml format also means that the technically minded could manipulate and work with that file.
The primary drawback to this tool revolves around the document attachment feature. Once a document is attached, it must be deleted and re-attached anytime changes are made. This makes using this program as a living document very problematic. The company I am with chose to keep the documents outside of the tool, but reference which policy answered the question(s).
Another negative is that this tool does not address the privacy rule aspects of HIPAA. It is solely concerned with the Administrative, Technical and Physical Safeguards. This tool can appear very daunting and complex. That said, a methodical approach to this tool will yield good work product.
Final Thoughts: In November of 2011, NIST quietly released this tool to aid organizations in working towards HIPAA Compliance. Surprisingly, I routinely meet practioners who have never heard of this tool. Even taking into account its age (four years old) and missing pieces, it is a surprisingly robust tool that will get almost any entity organized and on the path to compliance. Add to that the versatility of being able to generate a “HIPAA Compliance Report” is amazing and being able to hand this to the auditor as a first step would certainly frame the discussion in a positive way.
Now the website clearly states the tool is for informational purposes only and does not provide the user with HIPAA compliance. However, if I had a choice between a paid third party app and an app from the agency that co-hosted the HIPAA Security Conference with the auditing entity, I would probably pick the NIST tool. As part of a broad based HIPAA compliance strategy, the NIST tool can be very helpful in tackling the Administrative, Technical and Physical Safeguards requirements.
/s/ HH @legalevity