§164.520(e) Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by §164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section.
Audit Inquiry
Is the documentation of notice of privacy practices and the acknowledgement of receipt by individuals of the notice of privacy practices maintained in electronic or written form and retained for a period of 6 years?
Obtain and review policies and procedures to assess whether applicable documentation criteria for the notice are established and communicated to appropriate members of the workforce.
Obtain and review documentation (copies of all applicable notices and sample of acknowledgements) to determine if (1) the notice of privacy practices; and (2) (using a sample) acknowledgements for health care providers with direct treatment relationships with patients are maintained in electronic or written form and retained for a period of six years.
Required/Addressable
Required