A covered entity must, in accordance with § 164.306:

(a) Standard: Policies and procedures.  Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

Tell Me More:

The Security Rule lists general administrative requirements that are applicable to all policies and procedures required throughout the regulation.

The rule requires that the policies and procedures required throughout the regulation be maintained in writing, and that any other communication, action, activity, or designation that must be documented under this regulation be documented in writing. “Writing” includes electronic storage; paper records are not required. Covered Entities or Business Associates are required to retain any documentation required under the Security Rule for at least six years (the statute of limitations period for the civil penalties) from the date of the creation of the documentation, or the date when the document was last in effect, whichever is later.

A complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Has the organization written a policy and procedure for the initial creation and maintenance of all other policies and procedures necessary to meet the requirements of this HIPAA Final Security Rule?
  • Based on the organization’s Risk Analysis, has the organization determined what policies and procedures must be created to meet the requirements of this HIPAA Final Security Rule?
  • Has the organization completed the development of required policies and procedures?
  • Are required policies and procedures up to date?
Series Navigation<< 164.310(a)(2)(i) Standard: Facility access controls – Contingency operations164.310(a)(1) Physical safeguards – Standard: Facility access controls >>