Scope of this standard

This standard defines the documentation requirements used by Texas State University Health Care Components (HCCs). This standard applies to all Texas State University healthcare components.

Expand FAQ List

    1. Retention Period: In accordance with HIPAA regulations, university HCC’s and their business associates are required to retain all mandated documentation for a minimum of six years. This period begins from either the date the record was created or the date it was last in effect, whichever is later, as specified in 45 CFR §164.316(b)(2)(i). For reference, consult Record Series SHC220 on page 158 of 216 in the university’s Records Retention Schedule: Records Management Schedule.
    2. Availability: Documentation must be made available to those responsible for implementing policies and procedures (45 CFR §164.316(b)(2)(ii)).
    3. Updates:  Standards and Procedures must be reviewed and updated as necessary in response to environmental or operational changes affecting the security of PHI (45 CFR §164.316(b)(2)(iii)). 

    1. Privacy Procedures:
      1. Document how your organization complies with HIPAA Privacy Rule (45 CFR §164.530(i)).
    2. Notice of Privacy Practices:
      1. Maintain a copy of your Notice of Privacy Practices and any revisions (45 CFR §164.520).
      2. HCCs’ Notice of Privacy Practices must align with the Standards for HIPAA Privacy Practices Notice.
    3. Complaints:
      1. Document complaints received and their resolution regarding HIPAA privacy policies (45 CFR §164.530(d)).
    4. Authorizations:
      1. Retain any signed patient authorizations for disclosure of PHI, and related documentation.
    5. Training Records:
      1. Document who has received HIPAA Privacy Rule training, when it was conducted, and the content covered (45 CFR §164.530(b)). 

    1. Security Procedures:
      1. Implement and document security procedures for protecting ePHI (45 CFR §164.316(a)(b)).
    2. Workforce Security:
      1. Maintain documentation on how workforce access to ePHI is authorized and supervised (45 CFR §164.308(a)(3)).
    3. Security Incident Procedures:
      1. In accordance with UPPS 04.01.10 §04.01, university HCCs must immediately report suspected security incidents or data breaches to the Information Security Office (ISO).  
      2. HCCs must maintain records of any security incidents and the response taken by the ISO (45 CFR §164.308(a)(6)(ii)).
    4. Access Controls, Audit Controls, and Audit logs:
      1. Document technical and physical safeguards like access control systems and audit logs (45 CFR §164.312). 

    1. Breach Investigation and Response:
      1. The ISO will Document the investigation, mitigation, and notifications made in response to breaches (45 CFR §164.404–408).
    2. Notification Records:
      1. HCCs must retain copies of all notifications sent to individuals, the HHS, and possibly media, along with timelines and content. 

    1. Written Contracts:
      1. Document executed BAAs with each business associate handling PHI (45 CFR §164.502(e)). 

    1. Access, Amendment, Restriction of PHI, & Confidential Communications Requests:
      1. Document requests for access to PHI, amendment of PHI, restriction of PHI, confidential communications, and your organization’s responses (45 CFR §164.522, §164.524 and §164.526).
    2. Accounting of Disclosures:
      1. Maintain logs and records of certain disclosures of PHI, including those made without patient authorization (45 CFR §164.528). 

    1. Covered entities should document their assessment of whether they qualify as a hybrid entity or part of an affiliated covered entity, according to the criteria defined in 45 CFR 164.105(a)(1) and 45 CFR 164.105(b).
    2. Maintain a record of the factors considered in making this determination, explaining why the entity is or is not a hybrid or affiliated covered entity.
    3. Hybrid entities must clearly document the specific components or combination of components within their organization designated as healthcare components.