The record retention requirements for different types of documentation can be vastly different. Here we explain how long you should keep employee HIPAA training records and other types of HIPAA documentation to ensure you remain fully compliant with the HIPAA Rules.
HIPAA Documentation Requirements
The Health Insurance Portability and Accountability Act requires documentation to be kept to demonstrate compliance with all provisions of the HIPAA Rules, and there are provisions covering HIPAA documentation in both the HIPAA Privacy and Security Rules.
The HIPAA Standard, § 164.530 (j), states that covered entities must maintain documentation, including, but not limited to, the following:
- Policies and procedures with respect to protected health information and any updates made to those policies and procedures
- Communications requiring a physical or electronic copy
- Actions, activities, or designations that require written or electronic records
- Documentation to meet the administrative requirements and burden of proof outlined in § 164.414
- Records of any complaints to the covered entity concerning policies and procedures, including records of their disposition
- Notices of privacy practices
- Patient authorizations
- Business associate agreements and vendor lists
- Accounting of Disclosures of PHI
The HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI, which includes administrative, physical, and technical safeguards. Documentation should be created and maintained covering policies and procedures related to Security Rule compliance.
Documentation should include the following:
- Security Rule policies and procedures
- Risk analyses and assessments
- Risk management efforts
- IT security system reviews, investigations, and decisions
- Security incident/data breach documentation, investigations, and decisions
- Physical and technical security maintenance records
- Information system activity reviews
- Password policies
- Contingency plans and test results
- Emergency and disaster recovery plans
- Documentation tracking the location and movements of electronic devices containing ePHI
- Documentation detailing the location of PHI
- Data breach notification letters
HIPAA documentation will need to be produced in the event of an audit, compliance review, data breach investigation, and will also be required when investigating complaints.
HIPAA documentation must be retained for a minimum period of 6 years from the date of creation or the last date when the documentation was in effect, whichever is later. In some cases, that means documentation will have to be retained indefinitely. There are no requirements for retaining medical records, but there are requirements at the state level. It should also be noted that HIPAA sets minimum standards. States may require documentation to be retained for longer that the minimum period stated in HIPAA.
How Long Should You Keep Employee HIPAA Training Records?
A HIPAA-covered entity is required to provide training to the workforce on the policies and procedures with respect to protected health information, as necessary and appropriate for them to carry out their job functions, with additional training provided when there is a material change in policies and procedures. Refresher training must also be provided periodically, and employees must be made aware of sanctions for the failure to comply with policies and procedures. § 164.530(d) requires documentation to be maintained if any sanctions are applied against an individual.
There is often confusion about how long to keep employee HIPAA training records and training material. HIPAA training material should be retained for a minimum period of 6 years from the last time the training was provided to a member of the workforce, and while the minimum retention period for employee HIPAA training records is also 6 years, that is at least 6 years from the last effective date, which is the date when the employee was terminated or otherwise left employment. Since training records may need to be produced for legal reasons, the best practice is to retain employee HIPAA training records in employee files indefinitely.