All HIPAA documentation should be well-organized and easy to access in case of an OCR audit, or worse, a breach. Keep an organized record of staff training, certifications, Business Associate Agreements, Risk Analyses, policies and procedures, internal audits, breach notification protocol, remediation plans, and any other relevant documentation.
There will come a day when your organization needs to produce the HIPAA required policies and procedures. Remember, if you cannot produce documentation, then you didn’t do it!
Whether the policy and procedure is a HIPAA Privacy and/or Security Rule, access reports and audit logs, staff training documentation, all of these need to be recorded. Today more insurance companies, particularly cyber security insurance, will request documentation prior to offering coverage.
Include your own backup procedures as well as policies and proof of backup testing from any vendors providing such services for the organization, as applicable, along with the frequency of testing.
Keep policies and procedures, records, and logs for six years per HIPAA retention requirements.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.