A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the HIPAA privacy and security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments. Additionally, a covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information.
How long should I retain my paperwork and records?
Share this in :