Documentation That’s What It’s All About

Documentation That's What It's All About

That's What It's All About

Today I am breaking down the Documentation standard, 45 §164.316(b)(1), from the HIPAA Security Management Process into byte-size portions to help you understand how they are significant to your organization.

Before I can break down today’s topic, I first should set the document stage. When it comes to auditors, lawyers and the Department of Health and Human Services (HHS) it’s all about your documentation. It’s the first thing they will ask for when they come to visit. If you don’t have it – it will be as if it was never done. 

That is why the Documentation of your risk analysis and HIPAA-related policies, procedures, reports, and activities is a requirement under the HIPAA Security Rule. 

Documentation provides the how (or why) and the decisions and/or actions were made. Some of those actions may include:

  • Performed your security risk analysis
  • Implemented safeguards to mitigate identified risks
  • Provided training
  • Security reminders

Over time, your security documentation folder will become a tool that helps your security procedures be more efficient. These records will be essential if you are ever audited for compliance with the HIPAA Rules or an EHR Incentive Program.

Breaking Down the Documentation Standard

The Documentation standard requires regulated entities to:

“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

The standard has three implementation specifications, they are:

  1. Time Limit (Required)
  2. Availability (Required)
  3. Updates (Required)

Time Limit

The Time Limit implementation specification requires CEs and BAs to:

“Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

This six-year period must be considered the minimum retention period for required documentation under the Security Rule.

Note: Some organizations may choose to keep their documentation longer based on state law, requirements of accreditation organizations, or other business reasons.


The Availability, 45 § 164.316(b)(2)(ii), implementation specification requires regulated entities to:

“Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.”

Organizations often make documentation available in printed manuals and/or on their websites.


The Updates, 45 § 164.316(b)(2)(iii), implementation specification requires regulated entities to:

“Review documentation periodically, and update as needed, in response to environmental and/or operational changes affecting the security of the electronic protected health information (ePHI).”

The need for periodic reviews and updates will vary based on the regulated entity’s documentation review frequency and/or the volume of environmental or operational changes that affect the security of ePHI.

Creating a HIPAA Documentation Master File

To help you contain all the documents you will generate, I recommend creating a HIPAA Documentation Master File. Some of the documentation should include, but not be limited to:

  • HIPAA Security Risk Analysis
  • Policies and Procedures
  • Reports and activities as it relates to PHI

Your documentation should include how you conducted the security risk analysis and implemented safeguards to address the risks identified during your risk analysis.

Examples of What to Keep

Your HIPAA Documentation Master File should include, and not limited to, the following:

• Your policies and procedure
• Completed security checklists
• Training materials presented to staff and volunteers; any associated certificates of completion
• Updated BA agreements
• Security risk analysis reports
• Electronic Health Record (EHR) audit logs that show both utilization of security features and efforts to monitor users’ actions
• Risk management action plans or other documentation (that shows appropriate safeguards are in place throughout your organization), implementation timetables, and implementation notes
• Any security incidents and breach information

Over time, your security documentation folder is one of the tools in your toolbox to help you become more efficient. These records are essential if you are audited for compliance with the HIPAA Rules.

YOUR security risk analysis process is an opportunity for you to learn as much as possible about health information security. Do not ignore YOUR need to be HIPAA compliant! ANY device or media that contains ePHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!

Regulated entities must periodically review and update its documentation in response to environmental and/or organizational changes that affect the security of ePHI.

Healthcare organization and third-party vendors should understand that patients are entrusting them with their most private and intimate details, they do expect it to remain secure.

1 thought on “Documentation That’s What It’s All About”

Comments are closed.