Documentation of a risk analysis and HIPAA related policies, procedures, reports, and activities are requirement under the HIPAA Security Rule. Also, the Centers for Medicare and Medicaid Services (CMS) advise all providers who attest for the EHR Incentive Programs to retain all relevant records that support attestation. Documentation shows how you did the security risk analysis and implemented safeguards to address the risks identified in your risk analysis. Over time, your security documentation folder will become a tool that helps your security procedures be more Guide to Privacy and Security of Electronic Health Information efficient. Your workforce will be able to reference this master file of security findings, decisions, and actions. Further, the information will be more accurate than if your workforce tries to reconstruct past decisions and actions. These records will be essential if you are ever audited for compliance with the HIPAA Rules or an EHR Incentive Program.
Documentation is a primary requirement of demonstrating HIPAA compliance. Documentation includes retaining written or electronic results of a risk analysis, documenting the results of an audit, developing and implementing comprehensive privacy and security policies and procedures, and documenting staff training and security incident responses.
You should record who, what, when, where, how, and why of everything relating to Protected Health Information (PHI) in your environment. It should demonstrate in writing where you are today, where you’ve progressed over the years, and what your plan is for the future.