45 C.F.R. § 164.316(b)(2)(iii) states that policies should be reviewed periodically, and updated as needed, in response to environmental or operational changes affecting the security of the electronic protected health information (ePHI).
"Some executive orders and statutes even call on agencies to undertake periodic reviews. But there has been little study of how often periodic review is employed, how well it performs, and whether it should be undertaken more widely." says Lori S. Bennear and Jonathan B. Wiener in Pursuing Periodic Review of Agency Regulation.
Some healthcare organizations conduct more frequent internal audits, especially if they handle large volumes of sensitive data or have a history of compliance issues. The December 2023 Montefiore Medical Center HIPAA settlement demonstrates why healthcare organizations must regularly review and update their privacy policies. After employees improperly accessed and disclosed PHI, Montefiore paid $4.75 million and implemented mandatory quarterly policy reviews. This OCR corrective plan established clear expectations for regular policy assessment.
Certain events require immediate updates of policies regardless of schedule. New federal regulations, HHS guidance changes, or shifts in enforcement priorities call for policy adjustments to maintain compliance. Security incidents and data breaches often reveal policy gaps that need addressing. Likewise, implementing new technology like EHR systems or cloud storage solutions introduces risks requiring policy revisions. Organizational changes, including mergers, leadership transitions, or workplace restructuring, may also impact compliance procedures and necessitate updates.
According to an NIH article, "HIPAA compliance is an ongoing, dynamic process. OCR's enforcement activity makes it quite clear that it's not enough to simply have drafted HIPAA policies and procedures. HIPAA compliance requires ongoing assessment. Policies that might be reasonable today might not be reasonable tomorrow. Much like clinical and financial considerations, the privacy and security of patient information should be taken into account when determining how to establish a new policy or utilize a new technology in the office. Routinely making HIPAA a part of the discussion goes a long way toward reducing your exposure."
According to HIPAA COMPLIANCE: A Common Sense Approach best practices for maintaining up-to-date HIPAA policies include:
Furthermore,
Even though the Health Insurance Portability and Accountability Act (HIPAA) does not explicitly give a time frame in which policies should be revised, 45 C.F.R. § 164.316(b)(2)(i) states that healthcare organizations should, "Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later."
Check if you've had recent security incidents, introduced new technology, undergone organizational changes, or if there are new regulations or guidance from HHS.
While HIPAA doesn't specify an exact timeframe, most organizations conduct reviews at least annually, with quarterly reviews considered best practice.
Yes. Size doesn't affect the requirement for periodic reviews, though smaller practices may have simpler policies to review.