Key Point: If you don’t document it, you can’t prove you have followed privacy regulations — meaning you could face penalties. Security policies and procedures are mandated under the Health Information Portability & Accountability Act (HIPAA), and the regs are very specific about the policies and procedures you need to implement.
Through your documentation of policies and procedures, specify the security measures you have in place and the procedures you have for ensuring daily vigilance.
Keep in mind: Document everything, including all assessments, precautions, procedures, actions, findings, and processes covered under HIPAA requirements. Organize your compliance documentation in central locations, so both paper and electronic records can be easily referenced.
Ask yourself if you are keeping records of:
- Procedures for distributing privacy notices (which should include instructions on how to file complaints and report security concerns)
- Security policies and procedures (including written records of required actions, activities, or assessments)
- Complaint resolutions
- Updates to policies and procedures
- Sanctions against workforce members relating to privacy or security issues
- Staff training
- Business Associate Agreements
Be sure to keep privacy records for six years from creation of a document, or the last effective date. Also, periodically review and update documentation in response to changing conditions — such as a move to a new location — that impact the security of private health information.
Note to readers: See the right rail of hipaa.opra.org for HIPAA documentation and consultation services tailored for residential services providers.