2 minute read
5.5.2 Documentation (§ 164.316(b
INITIAL PUBLIC DRAFT IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
5.5.2 Documentation (§ 164.316(b))
Advertisement
HIPAA Standard: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Key Activities 1. Draft, Maintain, and Update
Required Documentation
2. Retain Documentation for at
Least Six Years
Implementation Specification (Required) 3. Ensure that Documentation is
Available to Those Responsible for Implementation
Implementation Specification (Required) 4. Update Documentation as
Required
Implementation Specification (Required) Description
• Document decisions concerning the management, operational, and technical controls selected to mitigate identified risks. • Written documentation may be incorporated into existing manuals, policies, and other documents or be created specifically for the purpose of demonstrating compliance with the HIPAA Security Rule. • Consider the importance of documenting the processes and procedures for demonstrating the adequate implementation of recognized security practices. • Use feedback from risk assessments and contingency plan tests to help determine when to update documentation. • Are all required policies and procedures documented? • Should HIPAA Security Rule documentation be maintained by the individual responsible for HIPAA Security Rule implementation? • Should HIPAA Security Rule documentation be updated in response to periodic evaluations, following security incidents, and/or after acquisitions of new technology or new procedures? • Have dates of creation and validity periods been included in all documentation? • Has appropriate management reviewed and approved all documentation?
• Retain documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.
• Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
• Review documentation periodically and update as needed in response to environmental or operational changes that affect the security of the ePHI.
Sample Questions
• Have documentation retention requirements under HIPAA been aligned with the organization’s other data retention policies?
• Is the location of the documentation known to all staff who need to access it? • Is availability of the documentation made known as part of education, training, and awareness activities?141
• Is there a version control procedure that allows for the verification of the timeliness of policies and procedures, if reasonable and appropriate? • Is there a process for soliciting input into updates of policies and procedures from staff, if reasonable and appropriate? • Are policies and procedures updated in response to environmental or operational changes that affect the security of ePHI?
141 See Section 5.1.5, HIPAA Standard: Security Awareness and Training.
71
INITIAL PUBLIC DRAFT IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
• When were the policies and procedures last updated or reviewed?
72
