The six year requirement maps only to privacy related retention such as audits of a 
consent and authorization tracking system.  For other security requirements, audit is 
driven by business impact, not HIPAA rules.   It's unlikely that there will be 
specific security related audit retention rules in the security standard;  this is an 
area where security countermeasures and safeguards are based upon what is appropriate. 
  Six years for PHI....but not for other proprietary or critical information assets of 
the entity.   Depends primarily on institution retention policy...and the security 
rules scale as applicable.

William H. Dobson, Jr, CISSP
Federal Business Development
Information Assurance Assessments
Trustwave Corporation, Annapolis, MD
Office 410-573-6910 x 2622
Cell    301-655-8548
Fax    410-571-8493



-----Original Message-----
From: Paul Litwak [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 12, 2002 11:14 AM
To: Street, Bunny; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: retention of documentation


The privacy rule requires retention of documentation for 6 years.  See 45
CFR 164.530(j).  I'd expect the final security rule to track that
requirement.

--------------------

NOTICE:  This message and its attachments are confidential and may be
protected by the attorney/client privilege.  If you have received it in
error, please notify the sender immediately by e-mail and delete and destroy
this message and its attachments.

--------------------

Paul Litwak
Attorney & Counselor at Law
2832 S. Lynnhaven Rd., Suite 202
Virginia Beach, VA 23452
Ph: 757-431-2020
Fax: 757-431-3688
EMail: [EMAIL PROTECTED]
Web: www.paul-litwak.com

-----Original Message-----
From: Street, Bunny [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 12, 2002 10:22 AM
To: [EMAIL PROTECTED]; '[EMAIL PROTECTED]'
Subject: RE: retention of documentation

Although the security regs are in proposed status, is anyone aware of
references to retention requirements for documentation; such as how long
should audit information be retained?  Thanks

Leslie Street
Privacy Specialist
Mountain States Health Alliance
Johnson City, TN 36704
423-431-1661
[EMAIL PROTECTED]




**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.


**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.


**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.

Reply via email to