HIPAA - Maintenance 164.306(e)

Overview:
Security measures implemented to comply with standards and implementation specifications adopted under § 164.105 and this subpart must be reviewed and modified as needed to continue the provision of reasonable and appropriate protection of electronic protected health information as described at § 164.316.

Action Items:
1) Verify that the organization reviews their security measures at least annually to evaluate their compliance and determine reasonable and appropriate steps to maintain protection of electronic protected health information.
2) Verify that the frequency, review dates, and responsibilities/ownership for reviews are documented and understood by all stakeholders.

Related Documents:
1) Information Security Policy
2) Documentation that outlines the frequency, review dates, and responsibilities/ownership for reviews

Additional Guidance:
For each addressable implementation specification, a covered entity must determine if the implementation specification is reasonable and appropriate in its environment. A covered entity needs to consider a number of factors in making the decisions for each addressable implementation specification.