164.316 Policies and procedures and documentation requirements
A covered entity must, in accordance with [164.306]:
- (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in [164.306(b)(2)(i)], (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
- (b)
- (1) Standard: Documentation.
- 164.316(b)(1)(i)(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
- 164.316(b)(1)(ii)(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
- (2) Implementation specifications:
- 164.316(b)(2)(i)(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
- 164.316(b)(2)(ii)(ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
- 164.316(b)(2)(iii)(iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
- (1) Standard: Documentation.