HIPAA Record Retention Requirements

The HIPAA record retention requirements are sometimes confused with medical record retention requirements. This is understandable when one of the objectives of the Privacy Rule is to protect the privacy of individually identifiable health information and one of the standards of the Security Rule stipulates documentation has to retained for a minimum of six years.

However, neither the Privacy Rule nor the Security Rule includes requirements for how long medical records should be retained – only what measures should be put in place to protect their privacy. Rather than HIPAA legislation stipulating a medical record retention period, each state has its own laws governing how long medical records should be retained.

Medical Record Retention Periods

With this in mind, it is important to realize that how long medical records should be stored varies from state to state. Covered Entities are thus bound by the laws of the state(s) in which they operate. The requirements may also vary depending on the type of covered entity and to whom the records relate.

In Florida, for example, doctors must keep a patient’s medical records for five years after the last instance of contact with that patient. Hospitals, however, must retain medical records for seven years.

In contrast, Texas physicians must keep medical records for seven years following their last contact with the patient, but hospitals must keep them for ten years. If the patient was a minor at the time the records were created, they must be retained until the patient reaches 20 years of age.

Nevada requires records to be kept for a minimum of five years for adults and, for minors, until the patient is twenty-three.

North Carolina stipulates that hospitals must retain medical records for eleven years after the patient has been discharged, or until a patient that was a minor when the records were created reaches thirty years of age.

What are the HIPAA Retention Requirements?

While there are no HIPAA requirements for retaining medical records, the legislation does lay out policies for how long other records associated with HIPAA should be retained. HIPAA states that Covered Entities and Business Associates must record any policies, procedures, actions or assessments carried out to comply with HIPAA policies.

The HIPAA subsection 45 CFR §164.316(b)(2)(i) says that such records must be kept for a minimum of six years after their creation or, if the document outlined a policy, 6 years from when the policy was last implemented. Thus, if a policy was in place four years before it was either dropped or altered, the original documentation must be kept for at least ten years from its creation date.

Listed below are documents subject to the HIPAA record retention rules. It is only a subset of the extensive list that applies to Covered Entities and Business Associates, but contains the most commonly used HIPAA-related documents across the health sector.

  • Notices of privacy practices
  • Patient authorizations
  • Risk assessments and risk analyses
  • Disaster recovery and contingency plans
  • Business associate agreements
  • Information security and privacy policies
  • Employee Sanction Policies
  • Incident and breach notification documentation
  • Complaint and resolution documentation
  • Physical security maintenance records
  • Access logs
  • IT security system reviews (including new procedures or technologies implemented)

Additional Considerations

Health insurance providers must not only comply with HIPAA retention rules, but also Financial Industry Regulatory Authority (FINRA) rules. Employers must abide by the Employee Retirement Income Security Act and the Fair Labor Standards Act. These may require the indefinite retention of records.

The Centers for Medicare and Medicaid Services (CMS) also mandates that healthcare providers must keep records of cost reports for at least ten years after the closure of the report.

Thus, while HIPAA stipulates that medical records must be kept “for as long as necessary” and sets no time limit, it means that healthcare providers must instead look to the relevant Statute of Limitations for their state, alongside regulations required by any of the regulatory authorities listed above.

HIPAA Record Retention Requirements FAQs

If Business Associate Agreements have no fixed time limits, does this mean the documentation has to be retained indefinitely?

If Business Associate Agreements have no fixed time limits, the documentation has to be retained for six years after the business relationship comes to an end. While in theory this could mean indefinitely, it is a best practice for Covered Entities to review Business Associate Agreements annually and amend or modified as necessary.  Once a Business Associate Agreement is amended or modified, the previous Business Associate Agreement has to be retained for a minimum of six years.

Other than the examples provided above, where can I find a state-by-state guide to retention periods for medical records?

You can find a state-by-state guide to retention periods for medical records on the Office of the National Coordinator for Health Information Technology website. The currently available medical record retention laws by state (PDF) only lists the retention periods for doctors and hospitals – and was produced in 2009, so there may be updates to some retention periods for medical records.

Additionally, other time periods may apply to medical facilities, healthcare providers, or healthcare data covered by other federal or state regulations. For example, the Records Control Schedule for healthcare providers covered by the Veterans Health Administration stipulates retention periods for certain types of administrative data. It is important to note that in all cases in which two retention periods apply, the longer retention period should be adhered to.

Do record retention requirements differ between Medicare and non-Medicare providers?

Record retention requirements do differ between Medicare and non-Medicare providers inasmuch as the Centers for Medicare & Medicaid Services (CMS) stipulate that medical records should be retained for a minimum of five years (generally in line with state requirements, and that accounting records and evidence of accounting procedures should be retained for a minimum of ten years (see 42 CFR § 422.504).

When retention periods end, how must medical records be disposed of?

When retention periods end, medical records must be disposed of to prevent unauthorized access to or disclosure of PHI. Paper records should be shredded, burned, or pulped, and policies developed for “the disposition of electronic PHI and/or the hardware or electronic media on which it is stored”. CMS provides advice on the compliant disposal of ePHI in its HIPAA Security Guidance (PDF).

Is it possible for Covered Entities to use a third party to dispose of Protected Health Information?

Covered Entities can use a third party to dispose of Protected Health Information, but because the third party then has access to the PHI, they become a Business Associate and have to comply with the HIPAA rules for record disposal. It will also be necessary for the Covered Entity and third party to sign a Business Associate Agreement.

What is the difference between HIPAA data retention and HIPAA record retention?

The difference between HIPAA data retention and HIPAA record retention is an implied difference inasmuch as “data” can be implied to mean individually identifiable health information, while “record” can be implied to mean HIPAA-related documentation. The text of the Administrative Simplification provisions uses neither of these terms, so there is no official distinction between HIPAA data retention and HIPAA record retention.

What are the HIPAA log retention requirements?

The HIPAA log retention requirements are limited inasmuch “logs” are only referenced twice in the Administrative Simplification provisions – once in the Security Rule and once in the Breach Notification Rule. With regards to these two references:

The Administrative Safeguards of the Security Rule require Covered Entities and Business Associates to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

The Notification Requirements of the Breach Notification Rule require Covered Entities to maintain a log of breaches of unsecured PHI that affect fewer than 500 individuals to notify HHS’ Office for Civil Rights of these breaches in one report at the end of the year.

Both audit logs and breach notification logs must be retained for at least six years from the date they are last used. Therefore, if a breach notification log was last used to notify HHS of data breaches on December 31, 2021, the log must be retained until at least December 31. 2027. The same applies to any other HIPAA-related document that is locally referred to as a log – for example the disciplinary record of a member of a Covered Entity’s workforce.

Why do some sources claim HIPAA data retention is 7 years?

Some sources claim HIPAA data retention is 7 years when their audience is healthcare providers operating in a state with medical data retention requirements of 7 years (i.e., California, Pennsylvania, Indiana, etc.). It is important to be aware there is a difference between medical data retention requirements (which are not covered by HIPAA) and HIPAA documentation retention requirements – for which the retention period is six years from when the document was last in force.

Is there a one-size-fits-all HIPAA data retention policy template?

There is no one-size-fits-all HIPAA data retention policy template for two reasons. The first is that the term “HIPAA data” is often used to refer to individually identifiable health information. In this case, HIPAA does not stipulate retention requirements for individually identifiable health information as these are mandated by each state (and often differ between states).

The second reason is that different types of Covered Entities and Business Associates use many different types of documents. If every type of document was included in a HIPAA data retention policy template, most Covered Entities and Business Associates would use only a fraction of the template because there would be so many documents that were irrelevant to them.

Are there any HIPAA backup retention requirements?

There are no HIPAA backup retention requirements that state how long backups should be retained. However, if HIPAA documentation is being backed up before being removed from a system, and the documentation is not being restored onto another system, the media on which documentation is backed up must be retained for six years after the documentation was last in force.

In this scenario, it is important the media onto which HIPAA documentation is capable of maintaining the data for a minimum of six years. Some storage devices have a limit on the duration of the “charge” that can be held by the cells; and, in some cases, this can be as short as six to seven years – after which it will be impossible to recover backed up data.

How long must HIPAA related files be saved?

HIPAA related files must be saved for six years after any documentation in the files was last effective. This means that if a policy was created in 2018, and it was effective until 2021, the policy document must be retained until 2027 (rather than 2024). Note, this does not apply to individually identifiable health information maintained in HIPAA related medical files, which is subject to state-by-state data retention requirements.

Immediate Access

Privacy Policy