Visible, Demonstrable Evidence 101

From HIPAA Safe Issue 13

Veteran HIPAA lawyer Carlos Leyva coined the term “visible, demonstrable evidence” (VDE) years ago to describe how a Covered Entity (CE) or Business Associate (BA) demonstrates HIPAA Rules compliance.

But what does VDE mean and how should a CE or BA organize their HIPAA Security (and Privacy and Breach Notification) program to avoid a Corrective Action Plan or Civil Monetary Penalty?

  • Ensure Privacy and Security Officers clearly understand every HIPAA Rules citation. Send each to reputable training

  • Create a reasonable and appropriate policy and procedure (PnP) for each standard and implementation specification

  • Document training and practices. Keep program artifacts as evidence that PnP are being followed consistently

  • Perform routine (at least monthly) audits of one Privacy (or Breach Notification) and one Security Rule citation to demonstrate compliance. The 2016 OCR Audit Protocol lists exactly what the OCR should ask during an audit or compliance review.

VDE is an accurate and likable phrase to help describe whether a CE or BA is knowledgeable and compliant at the granular level with the HIPAA Rules.

1 view

Experience                   Integrity                        Results

Proteus Consulting, LLC

10323 N. Strahorn Rd

Hayden, ID, 83835

(208) 215.5607

Copyright © 2013 - 2020 Proteus Consulting, LLC