|
security
documentation (HIPAA)
Covered
entities must maintain documentation of their policies
and procedures related to compliance with the provisions of
the Security Rule. In addition,
the covered entity must maintain a "written (which may
be electronic) record" of any "action, activity
or assessment" that is required by the standards
and implementation specifications of the Rule.
That would include
risk analyses and risk management reports conducted as part
of the security management
process, all business
associate contracts, designations of security
officers, and so on.
Documentation must
be "detailed enough to communicate the security measures
taken and to facilitate [the] periodic evaluations" required
by the security evaluation
standard of the administrative
safeguards. (Final Rule, p.167)
The documentation
must be retained for six years from the date of its creation
or the date it was last in effect, whichever is greater. It
must be made "available to the persons responsible for
implementing the procedures to which the documentation pertains."
(That is, it must be appropriately disseminated to the covered
entity's workforce,
and, as necessary, to business
associates.)
Covered entities
are responsible for keeping the documentation current by reviewing
it "periodically," and updating it as needed, "in
response to environmental or operational changes affecting
the security of the electronic
protected health information."
In keeping with the principle of scalabilty, there is no fixed
standard for this -- "the need for review and update
will vary dependent on a given entity's size, configuration,
environment, operational changes, and the security measures
implemented." (Final Rule, p.168)
The requirements
are consistent with, and similar in spirit to, the Privacy
Rule's documentation requirements.
See also:
|
