By Iseman Cunningham Riester & Hyde LLP
Like the Privacy Rule, the Security Rule requires covered entities to maintain documentation of the policies and procedures implementing the requirements of the rule. Documentation may be maintained in written or electronic form and must be retained for six years from the date of creation or the date it was last in effect, whichever is later. Covered entities must also maintain a written record of all actions, activities or assessments specifically required by the Security Rule to be documented.
Unlike the Privacy Rule, which requires entities to review their policies and procedures whenever there is a change in law, the Security Rule places an affirmative obligation on entities to review documentation periodically and to update as needed in response to environmental or operational changes. Thus an office relocation, system upgrade, or departmental reorganization may trigger a re-analysis of compliance with the security standards, even though the standards themselves may not have changed.
Policies and procedures must be readily available to those responsible for implementing them. Covered entities should take advantage of the rule’s flexibility and consider a paperless manual system for easy distribution and updating. Paperless manuals can be accessed over the internet, intranet or CD ROM. Note, however, that business associate agreements can (and often do) impose the requirement to maintain written documentation in hard copy format. These contractual obligations are not overridden by the HIPAA regulations.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.