- OSU shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule, taking into account these factors: The size, complexity, capabilities, technical infrastructure, hardware, software security capabilities, cost of security measures, and the probability and criticality of potential risks to ePHI. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. OSU may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with the Security Rule. §164.316(a)
- OSU will maintain the policies and procedures implemented to comply with the Security Rule in written (which may be electronic) form; and §164.316(b)(1)
- If an action, activity or assessment is required by the Security Rule to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. §164.316(b)(ii)
- OSU will retain the documentation required by paragraph 2 of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. §164.316(b)(2)(i)
- OSU will make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. §164.316(b)(2)(ii)
- OSU will review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. §164.316(b)(2)(iii)
OSU shall adhere to the policy above regarding all policies and procedures applicable to the Security Rule.
All master copies of the policies and procedures shall be kept in electronic form with the HIPAA Compliance Office. The HIPAA Compliance Officer may delegate various policies to individuals within the organization who are best suited for the area of responsibility. The HIPAA Compliance Office will review all policies and procedures on no less than an annual basis, as legally required, or as needed based on various situations, whichever is more frequent.
All HIPAA policies and procedure changes will be approved by the HIPAA Steering Committee before being sent onto the Compliance Committee for approval, then onto the OSU Legal Department.
If the change/modification is insignificant in nature, such as a typo or adding a word for better grammar, etc., those changes do not need to be approved by the Committee’s or the Legal department.