The six year requirement maps only to privacy related retention such as audits of a consent and authorization tracking system. For other security requirements, audit is driven by business impact, not HIPAA rules. It's unlikely that there will be specific security related audit retention rules in the security standard; this is an area where security countermeasures and safeguards are based upon what is appropriate. Six years for PHI....but not for other proprietary or critical information assets of the entity. Depends primarily on institution retention policy...and the security rules scale as applicable.
William H. Dobson, Jr, CISSP Federal Business Development Information Assurance Assessments Trustwave Corporation, Annapolis, MD Office 410-573-6910 x 2622 Cell 301-655-8548 Fax 410-571-8493 -----Original Message----- From: Paul Litwak [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 11:14 AM To: Street, Bunny; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: retention of documentation The privacy rule requires retention of documentation for 6 years. See 45 CFR 164.530(j). I'd expect the final security rule to track that requirement. -------------------- NOTICE: This message and its attachments are confidential and may be protected by the attorney/client privilege. If you have received it in error, please notify the sender immediately by e-mail and delete and destroy this message and its attachments. -------------------- Paul Litwak Attorney & Counselor at Law 2832 S. Lynnhaven Rd., Suite 202 Virginia Beach, VA 23452 Ph: 757-431-2020 Fax: 757-431-3688 EMail: [EMAIL PROTECTED] Web: www.paul-litwak.com -----Original Message----- From: Street, Bunny [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 10:22 AM To: [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Subject: RE: retention of documentation Although the security regs are in proposed status, is anyone aware of references to retention requirements for documentation; such as how long should audit information be retained? Thanks Leslie Street Privacy Specialist Mountain States Health Alliance Johnson City, TN 36704 423-431-1661 [EMAIL PROTECTED] ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request.