Privacy Guidance: What is the HIPAA Privacy Rule Documentation Requirement?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

The HIPAA Privacy Rule contains a documentation requirement. This article discusses what measures a covered entity must take to meet the requirement. 

What are the Privacy Rule Documentation Requirements?

A covered entity must maintain documentation of its policies and procedures - in written or electronic form. Also, the Privacy Rule requires that if a communication is required (by the Privacy Rule) to be in writing, a covered entity must maintain maintain that writing, or an electronic copy, as documentation. In addition, the Privacy Rule requires that if an action, activity, or designation is required by the Privacy Rule to be documented, a covered entity must maintain a written or electronic record of that action, activity, or designation.

For How Long Must Documentation be Maintained?

A covered entity must maintain all required documentation (which includes its policies and procedures, and any communications or actions the HIPAA Privacy Rule requires to be in writing) for six years from the date of its creation or the date it was last in effect, whichever is later.

What are Examples of Actions, Activities, or Designations That Must be Documented?

Examples of communications, actions, activities, and designations that must be documented (and thus maintained in written or electronic form) include:

1. Authorizations for Disclosures of PHI.
2. Notices of Privacy Practices
3. Business Associate Agreements
4. Employee Sanction Policies
5. Incident and and Breach Determinations and Notifications
6. Complaint and Resolution Documentation