The University must keep documentation of:
- Current security policies and procedures implemented by the Component, and
- An archive of policies that were valid anytime in the past six calendar years.
The HIPAA Privacy Officer and HIPAA Security Officer shall maintain the archive of all University level policies. The HIPAA Contact must maintain this documentation of any procedure created or maintained by the Covered Component.
In addition, many portions of the security program require documentation of activity, most notably granting and reviewing access, and reviewing information system activity. The Covered Components must keep documentation of all such actions for a period of six years.
Additional Resources Regarding This Policy
Related Policies, Procedures, and Guides
- Data Security