The small distinction between HIPAA medical records retention and HIPAA record retention can lead to some confusion when discussing HIPAA retention requirements. This article seeks to explain what records need to be retained under HIPAA, and what other retention requirements Covered Entities should think about.
The HIPAA retention requirements are really quite simple. What can lead to confusion for some Covered Entities and Business Associates is the stipulation within the Privacy Rule that appropriate administrative, technical and physical safeguards must adapted to “protect the privacy of Protected Health Information for whatever period such information is maintained”.
No HIPAA Medical Records Retention Period Exists
The reason the Privacy Rule does not state how long medical records must be retained is because there is no HIPAA medical records retention period. Each state has its own laws dealing with the retention of medical records, and – different to other areas of the Healthcare Insurance, Portability and Accountability Act – HIPAA does not overrule them.
Due to this, each Covered Entity and Business Associate is governed by the laws of the state with regard to how long medical records have to be retained rather than any exact HIPAA medical records retention period. States´ retention periods can differ considerably depending on the nature of the records and to whom they are owned by. For example:
- In Florida, physicians must keep medical records for five years after the last patient contact, whereas hospitals must keep them for seven years.
- In Nevada, healthcare groups must maintain medical records for a minimum of five years, or – in the case of a minor – until the patient is 23 years of age.
- In North Carolina, hospitals must keep patients´ records for 11 years from the date of discharge, and records relating to minors must be retained until the patient is 30 years old.
So what are the HIPAA Retention Requirements?
Even though the are no HIPAA retention requirements for medical records, there is a requirement about how long other HIPAA-related documents should be kept. This is covered in CFR §164.316(b)(1), which states Covered Entities must keep the policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment.
CFR §164.316(b)(2)(i) lists the documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last active. Therefore if a policy is in place for three years before being revised, a record of the original policy must be retained for a minimum of nine years after it began.
The list of documents governed by the HIPAA retention requirements is long depending on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most commonly listed documents; but, for example, health plans and healthcare clearing houses do not share Notices of Privacy Practices, so would not be required to keep copies of them:
- Privacy Practice Notices
- Permissions for the Disclosure of PHI.
- Risk Analyses and Risk Assessments.
- Disaster Recovery and Back Up Plans.
- Business Associate Agreements.
- Data Security and Privacy Policies.
- Staff Sanction Policies.
- Incident and Breach Notification Files.
- Complaint and Resolution Documentation.
- Physical Security Maintenance Histories.
- Logs Detailing Access to and Updating of PHI.
- IT Security System Audits (including new procedures or technologies implemented).
It was referred to above that the HIPAA retention requirements are actually quite simple and, when contrasted with some other regulatory requirements, that is certainly the case. Along with HIPAA record retention, insurance firms may be subject to the complexities of FINRA, while employers may have to adhere with the record retention requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. In some instances, this can mean keeping records indefinitely.
The Centers for Medicare & Medicaid Services (CMS) requires records of healthcare providers filing cost reports to be kept for a period of at least five years after the closure of the cost report, and that Medicare operated care program providers keep their records for ten years. Although much of the documentation backing up CMS cost reports will be the same as necessary for HIPAA record retention purposes, the two sets of records must be maintained separate for retrieval reasons.
It is recommended for all Covered Entities and Business Associates that any documentation that may be required in a personal injury or breach of contract dispute is kept for as long as required. “As long as necessary” will depend on the relevant Statute of Limitations in force in the state in which the entity operates. In many instances, the Statutes of Limitation are of greater length than any HIPAA record retention periods.