HIPAA Retention Requirements Explained

The small distinction between HIPAA medical records retention and HIPAA record retention can lead to some confusion when discussing HIPAA retention requirements. This article seeks to explain what records need to be retained under HIPAA, and what other retention requirements Covered Entities should think about.

The HIPAA retention requirements are really quite simple. What can lead to confusion for some Covered Entities is the stipulation within the Privacy Rule that individuals have the right to request an accounting of disclosures (of PHI) for the previous six years, but there is no requirement to retain the PHI to which the disclosures relate for six years.

No HIPAA Medical Records Retention Period Exists

The reason the Privacy Rule does not state how long medical records must be retained is because there is no HIPAA medical records retention period. Each state has its own laws dealing with the retention of medical records, and – different to other areas of the Healthcare Insurance, Portability and Accountability Act – HIPAA does not overrule them.

Due to this, each Covered Entity and Business Associate is governed by the laws of the state with regard to how long medical records have to be retained rather than any exact HIPAA medical records retention period. States´ retention periods can differ considerably depending on the nature of the records and to whom they are owned by. For example:

  • In Florida, physicians must keep medical records for five years after the last patient contact, whereas hospitals must keep them for seven years.
  • In Nevada, healthcare groups must maintain medical records for a minimum of five years, or – in the case of a minor – until the patient is 23 years of age.
  • In North Carolina, hospitals must keep patients´ records for 11 years from the date of discharge, and records relating to minors must be retained until the patient is 30 years old.

So what are the HIPAA Retention Requirements?

Even though the are no HIPAA retention requirements for medical records, there is a requirement about how long other HIPAA-related documents should be kept. This is covered in CFR §164.316(b)(1), which states Covered Entities must keep the policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment.

CFR §164.316(b)(2)(i) lists the documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last active. Therefore if a policy is in place for three years before being revised, a record of the original policy must be retained for a minimum of nine years after it began.

The list of documents governed by the HIPAA retention requirements is long depending on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most commonly listed documents; but, for example, health plans and healthcare clearing houses do not share Notices of Privacy Practices, so would not be required to keep copies of them:

  • Privacy Practice Notices
  • Permissions for the Disclosure of PHI.
  • Risk Analyses and Risk Assessments.
  • Disaster Recovery and Back Up Plans.
  • Business Associate Agreements.
  • Data Security and Privacy Policies.
  • Staff Sanction Policies.
  • Incident and Breach Notification Files.
  • Complaint and Resolution Documentation.
  • Physical Security Maintenance Histories.
  • Logs Detailing Access to and Updating of PHI.
  • IT Security System Audits (including new procedures or technologies implemented).

It was referred to above that the HIPAA retention requirements are actually quite simple and, when contrasted with some other regulatory requirements, that is certainly the case. Along with HIPAA record retention, insurance firms may be subject to the complexities of FINRA, while employers may have to adhere with the record retention requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. In some instances, this can mean keeping records indefinitely.

The Centers for Medicare & Medicaid Services (CMS) requires records of healthcare providers filing cost reports to be kept for a period of at least five years after the closure of the cost report, and that Medicare operated care program providers keep their records for ten years. Although much of the documentation backing up CMS cost reports will be the same as necessary for HIPAA record retention purposes, the two sets of records must be maintained separate for retrieval reasons.

It is recommended for all Covered Entities and Business Associates that any documentation that may be required in a personal injury or breach of contract dispute is kept for as long as required. “As long as necessary” will depend on the relevant Statute of Limitations in force in the state in which the entity operates. In many instances, the Statutes of Limitation are of greater length than any HIPAA record retention periods.

About Patrick Kennedy 619 Articles
Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/