HIPAA legislation is often criticized for its vagueness and confusing terminology. One element of HIPAA that has been the cause of confusion is the way the legislation distinguishes between HIPAA medical record retention practices and HIPAA record retention practices. The latter requirements are actually relatively simple. The confusion lies in the requirement for covered entities and their business associates to apply appropriate administrative, technical, and physical safeguards to “protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.”
HIPAA’s Privacy Rule does not include requirements for how long medical records should be retained – only that a variety of safeguards should be put in place to protect them. Rather than HIPAA legislation stipulating a medical record retention period, each state has its own laws governing how long they should be kept.
With this in mind, it is important to realize that how long medical records should be stored varies from state to state. Covered Entities are thus bound by the laws of the state(s) in which they operate. The requirements may also vary depending on the type of covered entity and to whom the records relate.
In Florida, for example, doctors must keep a patient’s medical records for five years after the last instance of contact with that patient. Hospitals, however, must retain medical records for seven years.
In contrast, Texas physicians must keep medical records for seven years following their last contact with the patient, but hospitals must keep them for ten years. If the patient was a minor at the time the records were created, they must be retained until the patient reaches 20 years of age.
Nevada requires records to be kept for a minimum of five years for adults and, for minors, until the patient is twenty-three.
North Carolina stipulates that hospitals must retain medical records for eleven years after the patient has been discharged, or until a patient that was a minor when the records were created reaches thirty years of age.
While there are no HIPAA requirements for retaining medical records, the legislation does lay out policies for how long other records associated with HIPAA should be retained. HIPAA states that CEs must record any policies, procedures, actions or assessments carried out to comply with HIPAA policies.
The HIPAA subsection 45 CFR §164.316(b)(2)(i) says that such records must be kept for a minimum of six years after their creation or, if the document outlined a policy, 6 years from when the policy was last implemented. Thus, if a policy was in place four years before it was either dropped or altered, the original documentation must be kept for at least ten years from its creation date.
Listed below are documents subject to the HIPAA record retention rules. It is only a subset of the extensive list that applies to CEs and their business associates, but contains the most commonly used documents across the health sector.
Health insurance providers must not only comply with HIPAA retention rules, but also Financial Industry Regulatory Authority (FINRA) rules. Employers must abide by the Employee Retirement Income Security Act and the Fair Labor Standards Act. These may require the indefinite retention of records.
The Centers for Medicare and Medicaid Services (CMS) also mandates that healthcare providers must keep records of cost reports for at least ten years after the closure of the report.
Thus, while HIPAA stipulates that medical records must be kept “for as long as necessary” and sets no time limit, it means that healthcare providers must instead look to the relevant Statute of Limitations for their state, alongside regulations required by any of the regulatory authorities listed above.
Ongoing Business Associate Agreements have to be retained indefinitely unless they are amended or modified due to a change of regulations (i.e. existing BAAs had to be modified after the publication of the HIPAA Final Omnibus Rule in 2013). Once a BAA is amended or modified, the previous BAA still has to be retained for a minimum of six years.
In 2009, the Office of the National Coordinator for Health Information Technology produced a state-by-state guide (PDF) for the retention of medical records. The guide only lists the retention periods for doctors and hospitals, and other time periods may apply to other medical facilities or healthcare providers subject to Veterans Health Administration regulations (PDF).
While HIPAA treats Medicare and non-Medicare providers equally, the Centers for Medicare & Medicaid Services (CMS) stipulate that medical records should be retained for a minimum of five years (generally in line with state requirements, and that accounting records and evidence of accounting procedures should be retained for a minimum of ten years (see 42 CFR § 422.504).
The same safeguards to prevent the unauthorized use and disclosure of PHI apply when medical records are disposed of. Therefore, paper records should be shredded, burned, or pulped, and policies developed for “the disposition of electronic PHI and/or the hardware or electronic media on which it is stored”. CMS provides advice on the compliant disposal of ePHI in its HIPAA Security Guidance (PDF).
Covered Entities can use a third party to dispose of protected Health Information, but because the third party then has access to the PHI, they become a Business Associate and have to comply with the HIPAA rules for record disposal. It will also be necessary for the Covered Entity and third party to sign a Business Associate Agreement.