HIPAA Record Retention Requirements

HIPAA legislation is often criticized for its vagueness and confusing terminology. One element of HIPAA that has been the causes of confusion is the way the legislation distinguishes between HIPAA medical record retention practices and HIPAA record retention practices.  The latter requirements are actually relatively simple. The confusion lies in the requirement for covered entities and their business associates to “protect the privacy of Protected Health Information for whatever period such information is maintained”.

HIPAA’s Privacy Rule does not include requirements for how long medical records should be maintained – only that a variety of safeguards should be put in place to protect them. Rather than HIPAA legislation stipulating a medical record retention period, each state has its own laws governing how long they should be kept.

Medical Record Retention Periods

With this in mind, it is important to realize that how long medical records should be stored varies from state to state. Covered Entities are thus bound by the laws of the state(s) in which they operate. The requirements may also vary depending on the type of covered entity and to whom the records relate.

In Florida, for example, doctors must keep a patient’s medical records for five years after the last instance of contact with that patient. Hospitals, however, must retain medical records for seven years.

In contrast, Texas physicians must keep medical records for seven years following their last contact with the patient, but hospitals must keep them for ten years. If the patient was a minor at the time the records were created, they must be retained until the patient reaches 20 years of age.

Nevada requires records to be kept for a minimum of five years for adults and, for minors, until the patient is twenty-three.

North Carolina stipulates that hospitals must retain medical records for eleven years after the patient has been discharged, or until a patient that was a minor when the records were created reaches thirty years of age.

What are the HIPAA Retention Requirements?

While there are no HIPAA requirements for retaining medical records, the legislation does lay out policies for how long other records associated with HIPAA should be retained. HIPAA states that CEs must record any policies, procedures, actions or assessment carried out to comply with HIPAA policies.

The HIPAA subsection CFR §164.316(b)(2)(i) says that such records must be kept for a minimum of six years after their creation – or, if the document outlined a policy, 6 years from when the policy was last implemented. Thus, if a policy was in place four years before it was either dropped or altered, the original documentation must be kept for at least ten years from its creation date.

Listed below are documents subject to the HIPAA record retention rules. It is only a subset of the extensive list that applies to CEs and their associates, but contains the most commonly used documents used across the health sector.

  • Notices of Privacy Practices
  • Patient Authorizations
  • Risk Assessments and Risk Analyses
  • Disaster Recovery and Contingency Plans
  • Business Associate Agreements
  • Information Security and Privacy Policies
  • Employee Sanction Policies
  • Incident and Breach Notification Documentation
  • Complaint and Resolution Documentation
  • Physical Security Maintenance Records
  • Access Logs
  • IT Security System Reviews (including new procedures or technologies implemented)

Additional Considerations

Health insurance providers must not only comply with HIPAA retention rules, but also Financial Industry Regulatory Authority’ rules. Employers must abide by the Employee Retirement Income Security Act and the Fair Labor Standards Act. These may require the indefinite retention of records.

The Centers for Medicare and Medicaid Services (CMS) also mandates that healthcare providers must keep records of cost reports for at least five years after the closure of the report.

Thus, while HIPAA stipulates that medical records must be kept “for as long as necessary” and sets no time limit, it means that healthcare providers must instead look to the relevant Statute of Limitations for their state, alongside regulations required by any of the regulatory authorities listed above.