DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses HIPAA Security Rule documentation requirements - what documents must be maintained, the availability requirement, and the updates requirement.
What Does the Security Rule Require HIPAA-Covered Entities to Maintain Documentation of?
The HIPAA Security Rule requires covered entities and business associates to maintain Security Rule policies and procedures in written form (which may be electronic). Changes to policies and procedures must be documented and implemented in accordance with the Security Rule.
The Rule also requires that if, an action, activity or assessment is required by the Security Rule to be documented, covered entities and business associates must maintain a written record of the action, activity, or assessment. This record may be electronic.
Examples of actions, activities, or assessments include (but are not limited to):
Security incidents and their outcomes
Results of risk analyses
Business associate agreements
Contingency plans
Workforce sanctions
For How Long Must a Covered Entity or Business Associate Maintain Documentation?
The Security Rule requires that organizations must retain the documentation mentioned above for 6 years from the date of its creation, or, the date when it was last in effect, whichever is later. As HHS guidance notes (p. "7"), the 6-year period is considered the minimum period for required documentation under the Security Rule. Some organizations may choose to keep their documentation longer based on state law, requirements of accreditation organizations, or other business reasons.
What is the Security Rule Documentation Availability Requirement?
In addition to maintaining documentation, covered entities and business associates must "make documentation available to those persons responsible for implementing the procedures to which the document pertains. This means that if someone is responsible for implementing the procedures are the subject of a document, or covered by the document, an organization must make the document available to that someone. One common way of making documentation available is through a company Intranet.
What is the Security Rule "Updates" Requirement?
The Security Rule documentation requirement, also requires organizations to "review documentation periodically, and update as needed, in response to environmental or operational canges affecting the security of the protected health information."
As the HHS guidance notes (p. "8"), the need for review andupdate of documentation varies, based on a covered entity's documentation review frequency, and/or the operational changes that affect the security of ePHI. Covered entities and business associates must manage their documentation so that it "reflects the current status of their security plans and procedures implemented to comply with the Security Rule."
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article