Saved · this browser
Chapter 7 · §164.316

Your Paperwork

§164.316 is the closing bracket on the administrative safeguards. §164.308 asked you to do the work; §164.316 asks you to preserve it — written down, kept for six years, available to the workforce, reviewed when things change.

Why this chapter exists, in plain English

§164.316 is the rule that says all the work you’ve done so far has to be written down, kept for six years, available to the people who follow it, and reviewed when things change. It’s the closing bracket on the administrative safeguards — §164.308 asked you to do the work; §164.316 asks you to preserve it.

The good news: chapters 1–6 have been building your Practice Security Manual the whole time. Your BAA list, device inventory, password procedures, workspace safeguards, incident-response plan, and training record are already the written policies and procedures the rule asks for. This chapter is about keeping them.

Four topics, one per sub-spec. The review cadence and the date you last reviewed live inside the last topic because they’re what §164.316(b)(2)(iii) actually asks for — not a separate global question.

01

The four topics

4 questions
§164.316(b)(1)

Your written manual:

a single dated document that compiles the chapter outputs

The good news: Chapters 1–6 have been building this for you. Each chapter output — your BAA list, your device inventory, your password procedures, your workspace safeguards, your incident-response plan, your training record — is a section of your Practice Security Manual.

HIPAAPath produces that manual for you. Once you’ve worked through all nine chapters, download your complete Practice Security Manual — a dated, auditor-ready PDF — directly from HIPAAPath.

§164.316(b)(2)(i)

Keeping it for six years:

how the clock starts and where retired versions go

The clock starts on the later of two dates: when the document was created, or when it was last in effect. That second part is the one people miss — a policy you retired last year still has to be kept for six more years from its retirement date, not from when you first wrote it.

The simplest solution is a dated-folder convention. Keep your current manual in one place. When you update a policy, move the superseded version to an archive/ subfolder with its retirement date in the filename. Once a year, prune anything with a retirement date more than six years ago.

§164.316(b)(2)(ii)

Making it available:

reachable in under a minute, by everyone who follows it

For a solo or small practice, this is mostly a “do I know where it is” question. If you can pull up the manual from your laptop or phone in under a minute, you’ve met the standard.

For a two-person office, both of you need access to the current version — a shared Drive or OneDrive folder is the standard solution. If a workforce member can’t reach the policies they’re supposed to follow, the rule isn’t satisfied, and it’s a common audit finding.

§164.316(b)(2)(iii)

Your review routine:

the cadence plus the events that trigger an off-cycle update

The rule names two triggers: periodic review (you pick the cadence), and environmental or operational changes that affect the security of ePHI. A new staff member, a new EHR, a new cloud vendor, a device loss, or a security incident are all operational changes — any of them should trigger a review of the affected sections, not just the annual one.

Review cadence

Annual, or event-driven with a named trigger list.

The rule says “periodic, and update as needed in response to environmental or operational changes” — so there are two honest answers here. Annual review is OCR’s de facto standard (it’s the cadence they write into corrective action plans after breach settlements), and it pairs naturally with the training review in Chapter 6. The event-driven alternative is legitimate, but only if you name your triggers — new staff, new systems, a new service or vendor, a security incident — and will actually review when one happens. If you pick event-driven and a year passes without a trigger, you’re probably due anyway. Pick the one you’ll actually do.

Last reviewed

First time through? Today is the right answer — working through this chapter is a review.

02

Where you stand

Not quite there yet

Answer all four topics + the review cadence and last-reviewed date to see your chapter resolution.