HIPAA Privacy - Documentation 164.520(e)

Overview:
§164.520(e)
Implementation specifications: Documentation.
A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section.

Action Items:
1) Obtain and review policies and procedures to assess whether applicable documentation criteria for the notice are established and communicated to appropriate members of the workforce.
2) Obtain and review documentation (copies of all applicable notices and sample of acknowledgements) to determine if (1) the notice of privacy practices; and (2) (using a sample) acknowledgements for health care providers with direct treatment relationships with patients are maintained in electronic or written form and retained for a period of six years.

Related Documents:
1) Policies and procedures to assess whether applicable documentation criteria for the notice are established and communicated to appropriate members of the workforce.
2) Copies of all applicable notices and sample of acknowledgements

Additional Guidance:
A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.