From HIPAA Safe Issue 13
Veteran HIPAA lawyer Carlos Leyva coined the term “visible, demonstrable evidence” (VDE) years ago to describe how a Covered Entity (CE) or Business Associate (BA) demonstrates HIPAA Rules compliance.
But what does VDE mean and how should a CE or BA organize their HIPAA Security (and Privacy and Breach Notification) program to avoid a Corrective Action Plan or Civil Monetary Penalty?
Ensure Privacy and Security Officers clearly understand every HIPAA Rules citation. Send each to reputable training
Create a reasonable and appropriate policy and procedure (PnP) for each standard and implementation specification
Document training and practices. Keep program artifacts as evidence that PnP are being followed consistently
Perform routine (at least monthly) audits of one Privacy (or Breach Notification) and one Security Rule citation to demonstrate compliance. The 2016 OCR Audit Protocol lists exactly what the OCR should ask during an audit or compliance review.
VDE is an accurate and likable phrase to help describe whether a CE or BA is knowledgeable and compliant at the granular level with the HIPAA Rules.