Covered entities must maintain all documentation, policies and procedures, required by the Security Rule for 6 years from the date of creation or last day in effect.
Documentation must also be made available to the persons responsible for implementing related procedures
Covered entities must periodically review documentation to revise and update it as needed to ensure confidentiality , integrity and availability of EPHI (Bedrock Principles).