Meeting HIPAA Documentation Requirements
Why Document?
Proper documentation is critical when it comes to your business passing a HIPAA audit. Ensuring HIPAA compliance requires documentation, and both electronic and paper documents are protected by HIPAA Privacy and Security Rules. The purpose of HIPAA documentation is to communicate the systems of compliance your business has set in place to those outside your organization. HIPAA documentation, when done correctly, will set the security standards for all processes and employees that are a part of your business. Proper recording and organization of documentation will also make yearly updating much faster, which takes less time away from other priorities within your organization.
What to Retain and for How Long:
Your business should retain documents containing protected health information or policies regarding the disclosure of protected information for a period of 6 years after its creation or the date it was last effective. These documents should include but may not be limited to:
- HIPAA Risk Analysis
- HIPAA Risk Management Plan
- Employee Sanction Policy
- Contracts
- Notice of Privacy Practices
- Password Policies
- Work Desk Procedures
- Training Logs
- List of Vendors
- Breach Response Plan
- Business Associate Agreements
- Incident Documentation
- Compliance Assessment Reports
- Records of hardware and electronic media used to store PHI
How to Dispose of Protected Health Information:
HIPAA Privacy and Security Rules do not specify that you must dispose of protected health information (PHI) by any particular method. Organizations must assess which method of disposal is most reasonable for their business and for the PHI they possess. Each organization must have a set of standards and policies that are implemented by all employees when disposing of documents that contain PHI.
According to guidelines set by the U.S. Department of Health and Human Services,
paper records can be destroyed by means of shredding, burning, pulping, or pulverizing. Once properly disposed of, all PHI should be indecipherable and unable to be reconstructed.
Electronic documents containing PHI can be overwritten through the use of clearing software, purged using strong magnetic fields that disrupt recorded magnetic domains and destroy data, or destroyed through means of disintegration, pulverization, melting, incinerating, or shredding.
How Cytek Can Help:
Cytek can provide your business with enterprise level security at an affordable price by delivering easy to use products without a compromise of security. Cytek Safeguard provides a centrally managed system that will organize all your required office policies, documents, and forms on your own personalized web portal as well as provide Risk Assessments, Analysis Remediation, Employee Training and Email Encryption.
Contact Cytek today to receive a free Risk Assessment.