Health Apps for SharePoint, Part 2: Introducing the (free) HIPAA Book of Evidence app

29 May 2014 | Dr. Dennis Schmuland, Chief health strategy officer, U.S. Health and Life Sciences, Microsoft

In my last post, I described enterprise-class Health Apps for SharePoint as a simple way for healthcare systems to accelerate and inculcate culture change and business transformation at a scale never before possible. The combination of Health Apps for SharePoint with Microsoft SharePoint 2013 or Office 365 gives health systems the adaptive collaboration platform they need to transform their culture from top to bottom and equip everyone in the company with process improvement tools that adapt to their unique business needs.

But Health Apps for SharePoint aren't just for big enterprises. Large-to-small clinics that are running Office 365 or SharePoint 2013 can also take full advantage of the same collaboration and process improvement capabilities available to larger enterprises. And one of the processes that nearly every clinic could use some improvement in is making sure their clinic staff and systems are fully compliant with HIPAA.  The good news for clinic practices is that there's now a Health App for SharePoint called the HIPAA Book of Evidence that clinics can instantly download to set up a team site that improves and automates the compliance process and ensure that practices are continuously compliant with HIPAA privacy and security regulations.

One of the lesser-known provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires the Office for Civil Rights (OCR) under the US Department of Health and Human Services (HHS) to conduct periodic audits to ensure that healthcare organizations and their business associates are complying with HIPAA laws.  The combination of the terms “Audit” and “Office of Civil Rights” in the same sentence is enough to make any care provider to break out in a cold sweat. 

Fortunately, the HIPAA Book of Evidence App for SharePoint can bring peace of mind to care providers that may not be up to date with their HIPAA compliance policies and processes or would have difficulty delivering the documentation of compliance that an OCR audit will require.   Staff meetings, training, risk assessments, risk mitigation, and documenting everything all come at the cost of time for patient care. 

What’s great about the HIPAA Book of Evidence is that it makes it easy for practices to quickly build the comprehensive documentation they need to instantly pass a surprise OCR audit with flying colors at any time.  That’s because the HIPAA Book of Evidence follows the recently published Office for Civil Rights audit protocol that OCR auditors are required to use in conduct a HIPAA audits.  Oh, and there's one other great thing about this App for SharePoint:  Microsoft and Microsoft partner, US Medical IT, have made the HIPAA Book of Evidence app available at no charge to every customer with Office 365 or SharePoint 2013. Yep, it’s yours for the taking.

 HIPPA book of evidence


But free wasn't the main reason that Mike Walsh, MD and Head of Compliance for Excel Anesthesia, decided to download and implement the HIPAA Book of Evidence app from the SharePoint Store. Dallas, Texas-based Excel Anesthesia is a practice of 26 anesthesiologists, none of whom work in the office. They all work in hospital operating rooms and other surgery and outpatient facilities, and are constantly on the move between locations. I had the pleasure of meeting with Dr. Walsh a few weeks ago to find out exactly why he's become such a fan of the HIPAA Book of Evidence and of Office 365 as well.  

Q: Dr. Walsh, what were the big HIPAA compliance challenges that you were able to overcome with the HIPAA Book of Evidence app?

Walsh: As a small practice, our business challenges are the same as they are for every physician, medical practice, and healthcare facility: How do we implement and maintain an effective and active compliance program in a cost-efficient manner that (1) protects our interests and our patients’ interests, (2) meets all pertinent privacy and security regulations, (3) guides the administrative, physical, and technological components of the practice, and (4) is well documented. Every practice struggles with both compliance and documenting compliance. That's true for solo practitioners like myself as well as large medical group practices—and it’s a problem that will never ends because HIPAA compliance is an ongoing process.  But documentation is now especially critical because we know that every practice has to be ready for a surprise audit at any time by the HHS Office for Civil Rights.

Q: What would you say are the top reasons you'd recommend the HIPAA Book of Evidence to your colleagues?

Walsh: In three words, systematic, comprehensive, and free. What I liked about the Book of Evidence when I first test-drove it was that I could see that it was built on some of the most important principles of compliance: it is systematic, it is directly based on specific HIPAA regulations, and it is comprehensive. The real key to compliance is to know what is expected and required and to systematically pursue it and document it along the way. The Book of Evidence is a tool that helps you do just that. It marches you through the vast array of requirements to make sure you don’t miss anything and, equally important, to help you document everything so that you can prove what you need to prove. I'd be surprised if many or maybe even most practices have ever experienced such a thorough and systematic tool for pursuing compliance.

Of course, it also helps that it's free. But I probably would have paid for it if it wasn't because of the high value we've realized from it.

Q: How easy or difficult was it to implement the Book of Evidence?

Walsh: Incredibly enough, the HIPAA Book of Evidence is instantly available at no charge to anyone with SharePoint 2013 or Office 365. It doesn’t get any more cost-efficient than this. Installation was easy. I just logged on to my SharePoint 2013 site, followed the instructions on how to add an app from the SharePoint Store, searched for "Book of Evidence," and clicked "Add." About three minutes later I was entering data into the tool.

I found the interface to be intuitive and easy to use. It guides you through the key questions and activities, prompting you to enter the necessary information. Despite the fact that there are 169 steps to complete in the OCR audit protocol, it walks you through each one and makes it as easy as it can get. These are the actual questions an OCR auditor would likely ask, so it really helps you ensure that your compliance efforts are comprehensive. Furthermore, it’s customizable so it can be adapted to your exact situation, which can help you make sure you’re covered on the "addressable" requirements. Most steps only take a few minutes, and at the end of the process you end up with a report that can be used to help you prioritize activities for a robust action plan.

Q: It's one thing for a practice to get started on HIPAA compliance. Nearly every practice has done that by now. But it's completely another thing to maintain the process discipline to stay in compliance and keep up with constant changes in the regulations. How does the HIPAA Book of Evidence help you maintain compliance and stay current?

Walsh: Compliance is a process, not an endpoint. It never ends. The highly complex HIPAA regulations will constantly be changing, technology changes even faster, and the practice environment will continually throw a myriad of obstacles in the way. We could devote a whole separate session to the innumerable challenges that healthcare compliance poses. The nice thing about the HIPAA Book of Evidence is that US Medical IT can easily push out an update when the law changes or when the company improves the app. And because we’re instantly notified when an upgrade is available, we can immediately upgrade our HIPAA Book of Evidence to comply with those changes. That gives us the peace of mind that we won't miss important changes in the law that could blindside us while we're all preoccupied with patient care.

Q: Do you have any additional advice for your colleagues about how to get, maintain, and document being compliant with HIPAA?   

Walsh: I'd encourage every physician to pursue making their practices compliant with HIPAA and the best way to do this is to implement an active compliance program in their practices. To do this, they need to find a tool that suits them and, ideally, is customizable to their unique situation and budget.

It's also important to emphasize that tools are only tools and they require competent “hands” using them for optimal results. What we did—and what I would recommend to anyone—is combine an ideal tool like the HIPAA Book of Evidence with appropriate guidance from a qualified compliance professional. But as for the tool itself, I think the Book of Evidence breaks new ground in that it's the best compliance-enabling platform I’ve seen and will help many practices avoid reinventing the same, costly wheel.

Have a comment or opinion on this post or a question for the author? Send us an email or let us know on Facebook or via Twitter.

Dr. Dennis Schmuland
Chief health strategy officer, U.S. Health and Life Sciences, Microsoft