Policy and Procedures Implementation, v1.0

Specifies the that a health care related organization must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart (Section 164.300-399), taking into account the organization's size, complexity, capabilities, the costs and risks associated with security, and other factors.

Assessment Steps (6)

1
Reasonable and Appropriate (ReasonableandAppropriate)
Does the covered entity or business associate implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart (Section 164.300-399)?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
2
Maintain Documents (MaintainDocuments)
Does the covered entity or business associate maintain the policies and procedures implemented to comply with this subpart (Section 164.300-399) in written (which may be electronic) form?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
3
Maintain Written Record (MaintainWrittenRecord)
Does the covered entity or business associate, if an action, activity or assessment is required by this subpart (Section 164.300-399) to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
4
Retention Time Limit (RetentionTimeLimit)
Does the covered entity or business associate retain the above required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
5
Make Documentation Available (MakeDocumentationAvailable)
Does the covered entity or business associate make documentation available to those persons responsible for implementing the procedures to which the documentation pertains?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
6
Periodically Review and Update Documentation (PeriodicallyReviewandUpdateDocumentation)
Does the covered entity or business associate review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A covered entity or business associate must perform these requirements in accordance with Section 164.306 (Security standards: General rules).

Conformance Criteria (6)

Reasonable and Appropriate
The covered entity or business associate must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart (Section 164.300-399), taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
Citations
HIPAA-Security-Rule
45 CFR Section 164.316(a)
HIPAA-Security-Rule
45 CFR Section 164.306
Maintain Documents
The covered entity or business associate must maintain the policies and procedures implemented to comply with this subpart (Section 164.300-399) in written (which may be electronic) form.
Citations
HIPAA-Security-Rule
45 CFR Section 164.316(b)(1)(i)
HIPAA-Security-Rule
45 CFR Section 164.306
Maintain Written Record
The covered entity or business associate must, if an action, activity or assessment is required by this subpart (Section 164.300-399) to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Citations
HIPAA-Security-Rule
45 CFR Section 164.306
HIPAA-Security-Rule
45 CFR Section 164.316(b)(1)(ii)
Retention Time Limit
The covered entity or business associate must retain the above required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
Citations
HIPAA-Security-Rule
45 CFR Section 164.306
HIPAA-Security-Rule
45 CFR Section 164.316(b)(2)(i)
Make Documentation Available
The covered entity or business associate must make documentation available to those persons responsible for implementing the procedures to which the documentation pertains
Citations
HIPAA-Security-Rule
45 CFR Section 164.316(b)(2)(ii)
HIPAA-Security-Rule
45 CFR Section 164.306
Periodically Review and Update Documentation
The covered entity or business associate must review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information
Citations
HIPAA-Security-Rule
45 CFR Section 164.306
HIPAA-Security-Rule
45 CFR Section 164.316(b)(2)(iii)