406 10 405

Activity
IV.06. FINANCE, ADMINISTRATION AND INFRASTRUCTURE/Information Technology
Series Name
Security Standards for the Protection of Electronic Protected Health Information
Series ID
406-10-405
Custodians
Any creating unit
Description

Document policies, procedures, actions, activities or assessments implemented by Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates to comply with the Security Standards for the Protection of Electronic Protected Health Information provided at 45 CFR Subpart C, including 45 CFR § 164.306. These records, found in all media (paper, digital, or other), must include: 

  • policies, procedures, actions, activities or assessments implemented to comply with 45 CFR Subpart C, including audit logs. 

These records may also include, but not limited to:  

  • related documentation. 
Retention and Disposal Instructions

6 years from the date of creation or the date last was in effect, whichever is later, purge. 

Exception: In the event of a subpoena, audit, legal hold, public records or similar state or federal information request, halt until further instructed any scheduled disposal activities, including purging or transferring material to University Archives. 

Citations
45 CFR 164.316(b)(2)(ii)
Related Series
405-20-905: Clinical Laboratory Records
510-40-105: Employee Medical Information
304-10-115: Medical Records
304-10-110: Health Records of Non-Students
304-10-105: Health History Forms
304-10-120: Treatment Records, Designated Record Set