Section






[Code of Federal Regulations]

[Title 45, Volume 1]

[Revised as of October 1, 2006]

From the U.S. Government Printing Office via GPO Access

[CITE: 45CFR164.316]



[Page 749-750]

 

                        TITLE 45--PUBLIC WELFARE

 

                    SUBTITLE A--DEPARTMENT OF HEALTH

                           AND HUMAN SERVICES

 

PART 164_SECURITY AND PRIVACY--Table of Contents

 

Subpart C_Security Standards for the Protection of Electronic Protected 

                           Health Information

 

Sec.  164.316  Policies and procedures and documentation requirements.



    A covered entity must, in accordance with Sec.  164.306:

    (a) Standard: Policies and procedures. Implement reasonable and 

appropriate policies and procedures to comply with the standards, 

implementation specifications, or other requirements of this subpart, 

taking into account those factors specified in Sec.  164.306(b)(2)(i), 

(ii), (iii), and (iv). This standard is not to be construed to permit or 

excuse an action that violates any other standard, implementation 

specification, or other requirements of this subpart. A covered entity 

may change its policies and procedures at any time, provided that the 

changes are documented and are implemented in accordance with this 

subpart.

    (b)(1) Standard: Documentation. (i) Maintain the policies and 

procedures implemented to comply with this subpart in written (which may 

be electronic) form; and

    (ii) If an action, activity or assessment is required by this 

subpart to be documented, maintain a written (which may be electronic) 

record of the action, activity, or assessment.

    (2) Implementation specifications:

    (i) Time limit (Required). Retain the documentation required by 

paragraph (b)(1) of this section for 6 years from the date of its 

creation or the date when it last was in effect, whichever is later.

    (ii) Availability (Required). Make documentation available to those 

persons responsible for implementing the procedures to which the 

documentation pertains.



[[Page 750]]



    (iii) Updates (Required). Review documentation periodically, and 

update as needed, in response to environmental or operational changes 

affecting the security of the electronic protected health information.