Episode 39: Know The Rules! Documentation – If It’s Not Documented It Didn’t Happen!

Documentation, Do You Have It!

Today, I am discussing the HIPAA Security Rule’s Documentation standard, §164.316(b)(1), as mentioned in “6 Step Approach to Implementing Your Security Management Process.”

The Documentation standard requires Covered Entities (CEs) and Business Associates (BAs) to:

“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

The standard has three implementation specifications:

  1. Time Limit (Required)
  2. Availability (Required)
  3. Updates (Required)

1. Time Limit – § 164.316(b)(2)(i):

The Time Limit implementation specification requires CEs and BAs to:

“Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

This six-year period must be considered the minimum retention period for required documentation under the Security Rule.

Note: Some organizations may choose to keep their documentation longer based on state law, requirements of accreditation organizations, or other business reasons.

2. Availability – § 164.316(b)(2)(ii)

The Availability implementation specification requires CEs and BAs to:

“Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.”

Organizations often make documentation available in printed manuals and/or on their websites.

3. Updates – § 164.316(b)(2)(iii)

The Updates implementation specification requires CEs and BAs to:

“Review documentation periodically, and update as needed, in response to environmental and/or operational changes affecting the security of the electronic protected health information (ePHI).”

The need for periodic reviews and updates will vary based on the CE’s or BA’s documentation review frequency and/or the volume of environmental or operational changes that affect the security of ePHI.

To help you contain all the documents you will generate, I recommend creating a security documentation folder. Some of the documentation should include, but not be limited to, your HIPAA Security Risk Analysis and related policies, procedures, reports, and activities are key requirements under the HIPAA Security Rule.

Your documentation should include how you conducted the security risk analysis and implemented safeguards to address the risks identified during your risk analysis.

Examples of Records to Retain:

Security documentation should include, and not limited to, the following:

• Your policies and procedure
• Completed security checklists
Training materials presented to staff and volunteers; any associated certificates of completion
• Updated BA agreements
• Security risk analysis reports
• Electronic Health Record (EHR) audit logs that show both utilization of security features and efforts to monitor users’ actions
Risk management action plans or other documentation (that shows appropriate safeguards are in place throughout your organization), implementation timetables, and implementation notes
• Any security incidents and breach information

Over time, your security documentation folder is one of the tools in your toolbox to help you become more efficient. These records are essential if you are audited for compliance with the HIPAA Rules.

YOUR security risk analysis process is an opportunity for you to learn as much as possible about health information security. Do not ignore YOUR need to be HIPAA compliant! ANY device or media that contains ePHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!

A CE must periodically review and update its documentation in response to environmental and/or organizational changes that affect the security of ePHI.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy!

Why are you leaving yourself wide open to such risks?





Join HIPAA alli for our live webinar where we provide valuable information on a range of HIPAA compliance related topics and allow attendees to gain insider insight and learn industry best practices.


8 thoughts on “Episode 39: Know The Rules! Documentation – If It’s Not Documented It Didn’t Happen!

  1. Kimberly Shutters

    Kristine Tomzik

    Excellent information.

  2. […] decisions an organization makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results […]

  3. […] document, and implement your organization’s mobile device policies and procedures to safeguard health […]

  4. […] business use of workstations. In this case, it may be possible for you to update your existing documentation to address security […]

  5. […] Documenting ALL training could prevent HIPAA violations and/or avoid allegations of willful neglect if a […]

  6. […] and Procedures and Documentation […]

  7. […] c)      Document the terms of each BAA […]

  8. […] a compliance officer, you might find that you’ve inherited a multitude of messes. Start with your documentation, verify it exists and is not out of date or obsolete. Other areas to include in your examination […]