Here is what HIPAA basically says:
Policies and Procedures and Documentation Requirements
A covered entity must undertake training and adopt reasonable/appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments. A covered entity must train all employees in HIPAA rules and regulations relating to Protected Health Information (PHI).
Updates.
A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information. This applies to training as well. (Many States are more stringent in their training requirements)
That's nice, but what does it mean. In a nutshell a practice needs to create and maintain documentation for:
- Training
- Electronic Security Measures Taken
- Physical Security Measures for paper and electronic records
- Agreements and contracts with contractors having access to records
- Security Policies and procedures for employees
- Document changes affecting security and responses to the changes
- Document negative issues or breach issues
All security measures placed by us will come with full legal documentation. Any subsequent actions taken by us relating to records security will be documented.
We have full documentation packages that will evaluate and document your practice's HIPAA compliance
Should a practice desire or require more documentation relating to security issues CYRSS can provide such documentation through our legal team.