A provider must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A provider must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures, and written records of required actions, activities, or assessments. 

A provider must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).