What are the HIPAA Security Rule's "Policies and Procedures and Documentation Requirements"?

Modified on Mon, 11 Dec, 2023 at 1:58 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


The Security Rule requires covered entities and business associates to implement reasonable and appropriate policies and procedures. These policies and procedures must comply with the standards, implementation specifications, or other requirements of the Security Rule. 

What Factors Must be Considered When Drafting Policies and Procedures?
To meet the “reasonable and appropriate” requirement, the covered entity or business associate must take into account the following four factors when drafting the policies and procedures:

(i) The size, complexity, and capabilities of the covered entity or business associate. 

(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. 

(iii) The costs of security measures. 

(iv) The probability and criticality of potential risks to electronic protected health information.

Covered entities and business associates may change their policies and procedures at any time, provided that the changes are documented in accordance with Security Rule documentation requirements. Any changes to policies and procedures must be implemented in accordance with the Security Rule.

Covered entities and business associates must maintain the policies and procedures that they implement to comply with the Security Rule in written form. This “written form” may be electronic.


What are the HIPAA Security Rule Documentation Requirements?
Under the Security Rule, if an action, activity, or assessment is required to be documented, covered entities and business associates must maintain a written (which may be electronic) record of the action, activity, or assessment.

The required documentation must be retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later.  For more information about what must be documented and how long it must be documented for, please view this knowledge base article that outlines the requirements: 
https://compliancygroup.freshdesk.com/support/solutions/articles/48001246280-what-are-medical-record-and-other-record-retention-requirements-under-hipaa-


What are the Security Rule Documentation Availability and Update Requirements?
The Security Rule requires covered entities and business associates to make documentation available to those individuals who are responsible for implementing the procedures to which the documentation pertains. 


The Security Rule also requires covered entities to periodically review its documentation (and update it as needed), in response to: environmental or operational changes affecting the security of the ePHI.



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article