NIST SP 800-66r2 ipd INITIAL PUBLIC DRAFT
IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
1134
5.5.2
1135 1136 1137
HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
1.
Documentation (§ 164.316(b))
Key Activities Draft, Maintain, and Update Required Documentation
Description Document decisions concerning the management, operational, and technical controls selected to mitigate identified risks. Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. Consider the importance of documenting the processes and procedures for demonstrating the adequate implementation of recognized security practices. Use feedback from risk assessments and contingency plan tests to help determine when to update documentation. Retain documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.
• •
• • 2.
3.
4.
Retain Documentation for at Least Six Years Implementation Specification (Required)
Ensure that Documentation is Available to Those Responsible for Implementation Implementation Specification (Required)
Update Documentation as Required
Implementation Specification (Required)
•
•
•
• • •
• • •
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
•
Review documentation periodically and update as needed in response to environmental or operational changes that affect the security of the ePHI.
•
•
• •
141
See Section 5.1.5, HIPAA Standard: Security Awareness and Training.
71
Sample Questions Are all required policies and procedures documented? Should HIPAA Security Rule documentation be maintained by the individual responsible for HIPAA Security Rule implementation? Should HIPAA Security Rule documentation be updated in response to periodic evaluations, following security incidents, and/or after acquisitions of new technology or new procedures? Have dates of creation and validity periods been included in all documentation? Has appropriate management reviewed and approved all documentation? Have documentation retention requirements under HIPAA been aligned with the organization’s other data retention policies? Is the location of the documentation known to all staff who need to access it? Is availability of the documentation made known as part of education, training, and awareness activities? 141 Is there a version control procedure that allows for the verification of the timeliness of policies and procedures, if reasonable and appropriate? Is there a process for soliciting input into updates of policies and procedures from staff, if reasonable and appropriate? Are policies and procedures updated in response to environmental or operational changes that affect the security of ePHI?
