Download PDF
Effective Date: August 1, 2013 Revised: November 1, 2018

HIPAA Policies for Healthcare Providers at Covered Components: Policy 9, Documentation and Retention

Responsible Office Research Compliance

This Policy 9 is part of the HIPAA Policy Manual: Privacy and Security of Protected Health Information for BU Healthcare Provider Covered Components.


9. Documentation and Retention

The University must keep documentation of:

  • Current security policies and procedures implemented by the Component, and
  • An archive of policies that were valid anytime in the past six calendar years.

The HIPAA Privacy Officer and HIPAA Security Officer shall maintain the archive of all University level policies.  The HIPAA Contact must maintain this documentation of any procedure created or maintained by the Covered Component.

In addition, many portions of the security program require documentation of activity, most notably granting and reviewing access, and reviewing information system activity.  The Covered Components must keep documentation of all such actions for a period of six years.