Interhack Home
Navigation

Publications
INFOSEC: Friend or Foe?
Identity Theft: What If We Didn't Dodge a Bullet?
Electronic Evidence in Criminal Defense
Anatomy of Online Fraud
Security: Built-in or Bolt-on?
Spying on Spyware
Cryptography in Practice
HIPAA Security HyperRule
About the HyperRule
Complete Rule
- HHS Commentary
- General Requirements
- Administrative Requirements
- Security Requirements
- Implementation Matrix
 Publications

164.316 Policies and procedures and documentation requirements

A covered entity must, in accordance with [164.306]:

  1. 164.316(a) (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in [164.306(b)(2)(i)], (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
  2. (b)
    1. (1) Standard: Documentation.
      1. 164.316(b)(1)(i) (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
      2. 164.316(b)(1)(ii) (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
    2. (2) Implementation specifications:
      1. 164.316(b)(2)(i) (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
      2. 164.316(b)(2)(ii) (ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
      3. 164.316(b)(2)(iii) (iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

 
Contact Privacy Policy (c) 2001-2009 Interhack