HIPAA Privacy, Security, and Breach Notification Rules all require extensive written or electronic documentation and retention of that documentation, generally for six years. A Covered Entity (CE), such as a medical practice or hospital, must document its policies and procedures that demonstrate operational compliance with the Privacy and Security Rules. All compliance-related activities required by the Security Rule must also be documented—for example, risk analysis and risk management programs must document the CE’s analysis and management of risks that electronic Protected Health Information (ePHI) could be inappropriately accessed or disclosed. Another example is the technical and physical safeguards a CE establishes to protect the security and integrity of ePHI. All of this documentation must be made available to those responsible for implementing the procedures as well as to the U.S. Department of Health and Human Services (HHS), if and when HHS requests it.
CEs must also document their activities and communications with patients, such as Notice of Privacy Practices, records of complaints and resolution, and records related to a patient’s right to access and amend the patient’s records and to receive an accounting of all disclosures of the patient’s PHI. The CE must also document a patient’s authorization for use and disclosure of the patient’s PHI.