If Compliance Isn’t Documented It Didn’t Happen

Most of the 250+ organizations I’ve audited, and the hundreds of others I’ve had as clients, hate documentation. At least creating documentation. So, they don’t do it, or they do it very poorly. Or, they document things they don’t need to, and fail to document the important things. And then, considering all that documentation, they often don’t retain it long enough, or forget where they put it.

Last year I wrote an article about legal retention length requirements. Now I’m focusing on the types of compliance activities organizations need to document, and then the need to retain that documentation for the appropriate periods of time.

All organizations need to document these

In the hundreds of audits I’ve done I always ask to see documentation. In many instances I’ve had organizations tell me they have information security and privacy policies. However, when I asked to see them, they’ve then basically said, “Oh, they’re unwritten but generally accepted and expected policies! They are verbally shared.” This is not acceptable.  

If you cannot show me (or your auditors, regulators or clients) documentation, then in my (and their) eyes, you haven’t done it; there is no proof that can be used to validate your actions. Even if you may seem to be trustworthy, if you have no documentation, I’m going to write this up as an audit finding. This will not look good, or bode well, with any regulatory agencies reviewing my audit report, or to any organizations you would like to be your client.

Make sure that, at a minimum, you document the following:

1)    Information security and privacy policies and procedures. These should include the date they were established, went into effect, and were updated.

2)    Training and awareness materials and activities. Training should show the date and topic of the training, each person who took the training, and the results of any associated tests/quizzes. For awareness activities, keep a copy of the awareness communications, descriptions of any awareness events, and photos of the activities if possible, along with the dates.

3)    Risk assessments. Keep the final report, which should include the date and names of the primary individuals involved, and documentation describing the risks and associated mitigation activities.

4)    Security incidents, privacy breaches and response activities. These should include at a minimum a high level description of each event, date, time, those involved with responding to them, and final outcomes, including any associated mitigation activities.

5)    Responsibilities. Documentation of the titles of the persons and/or offices responsible for information security and privacy compliance, including not only those with over-all responsibility for compliance, but also those areas with significant responsibilities for complying with information security and privacy requirements. For example, under HIPAA, documenting those responsible for receiving and processing requests for amendments by individuals, and those responsible for receiving and processing requests for an accounting by individuals.

6)    Privacy notices. Keep a copy of each privacy notice you have posted on your website, and that you send or give directly to your customers and/or patients. The notices should include an effective date, and last updated date.

7)    Business associate/vendor/subcontractor agreements/contracts. Keep a copy of each initial contract, and each one updated. It is best to keep in a centralized location, from which you manage and have oversight of all your vendor/etc. information security and privacy activities and obligations. FYI, one of my business services provides such capability.

8)    Information security and privacy forms used. These would include such things as access change requests, non-disclosure agreements, non-compliance reports, signed consent forms, and so on.

9)    Noncompliance sanctions applied. These should include a high level description of the policy/procedure violated, date, time, situation, and individual(s) involved, as appropriate.

If you are a covered entity (CE) or business associate (BA) under HIPAA also keep documentation of the following:

1)    A written or electronic record of a designation of an organization as a CE (e.g., health plan, affiliated covered entity, etc.) or BA.

2)    All documented settings, activities and assessments required by HIPAA.

3)    All data use agreements and other forms supporting HIPAA compliance.

4)    All signed authorizations and, where applicable, written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgments.

5)    Designated record sets that are subject to access by individuals.

6)    Accounting of disclosures of protected health information (PHI).

Retain how long?

I advise keeping a copy of your very first set of established policies and procedures indefinitely. They typically represent the initiation of your information security and privacy efforts, and can also serve as a baseline for comparison as your program matures. For everything else, generally retaining the types of previously listed documentation for at least six or seven years is a good plan, and is legally required for some industries and locations. For example, under HIPAA, covered entities (CEs) and business associates (BAs) must retain the documentation for at least six years from the date of its creation or the date when it last was in effect, whichever is later.

Bottom line for organizations of all sizes…

Every organization, in all industries, of all sizes, in all locations, needs to document their information security and privacy activities and then retain all the documentation, ideally in a centralized, secure location where it can easily and quickly be obtained whenever requested by a regulator, auditor, or client.

tumblr visitor

Tags: , , , , , , , , , , , , , , , , , , ,

Leave a Reply