policies and procedures (HIPAA)
entities must implement "reasonable and appropriate
policies and procedures to comply with the standards,
implementation specifications and other requirements"
of the Security Rule. Policies
and procedures will implement -- directly or by alternative
means -- the administrative,
safeguard components of the Rule.
What level of detail
is required in these policies and procedures? Following its
principle of "scalability," the Rule requires only
that they be "reasonably designed, taking into account
the size and type of activities of the covered entity that
relate to electronic
protected health information."
(Final Rule, p.165)
may change their security policies at "any time, provided
the changes are documented
and are implemented in accordance with the [Security Rule]."
Such documentation, like the policies and procedures they
document, must be reviewed and updated periodically. How often
is that? As frequently as would be "reasonable and appropriate,"