HIPAA Record Retention Requirements

HIPAA legislation is often criticised for its vagueness and confusing terminology. In particular, the way it distinguishes between HIPAA medical record retention practice and HIPAA record retention can lead to some uncertainty. However, the latter requirements are relatively simple. The confusion lies in the requirement for covered entities and their business associates to “protect the privacy of Protected Health Information for whatever period such information is maintained”.

However, HIPAA’s Privacy Rule does not offer any guidelines on how long that medical information should be maintained – only that a variety of safeguards should be in place to protect it. Rather than HIPAA legislation stipulating a medical records retention period, each state has its own laws governing how long they should be kept. In this way, HIPAA policy does not take precedence.

Medical Records Retention Periods

With this in mind, it is important to realise that how long medical records should be stored varies from state to state. Covered Entities and their associates are thus bound by the laws of the state in which they practice. The requirements may also vary depending on the nature of the patient and the medical records being held.

In Florida, for example, doctors must keep a patient’s medical records for five years after the last instance of contact with that patient. Hospitals, however, must do so for seven years.

By contrast, in Texas physicians must keep medical records for seven years following their last contact with the patient, but hospitals must keep them for ten years. If the patient was a minor, the records must be retained until the patient is twenty.

Nevada requires records to be kept for a minimum of five years for adults, and for minors until the patient is twenty-three.

And finally, North Carolina stipulates that hospitals must retain medical records for eleven years after the patient’s discharge, or until a patient that was a minor when treated turns thirty.

What are HIPAA retention requirements?

That said, though there are no HIPAA requirements for retaining medical records, the legislation does lay out policies for how long other records associated with HIPAA should be retained. HIPAA states that CEs must record any policies, procedures, actions or assessment carried out to comply with HIPAA policy.

The HIPAA subsection CFR §164.316(b)(2)(i) says that such records must be kept for a minimum of six years after their creation – or, if the document outlined a policy, from when the policy was last implemented. Thus, if a policy was in place four years before it was either dropped or altered, the original documentation must be kept for at least ten years.

The following is a list of documents subject to the HIPAA record retention rules. It is only a subset of the extensive list that applies to CEs and their associates, but contains the most common documents used across the health sector.

  • Notices of Privacy Practices.
  • Authorizations for the Disclosure of PHI.
  • Risk Assessments and Risk Analyses.
  • Disaster Recovery and Contingency Plans.
  • Business Associate Agreements.
  • Information Security and Privacy Policies.
  • Employee Sanction Policies.
  • Incident and Breach Notification Documentation.
  • Complaint and Resolution Documentation.
  • Physical Security Maintenance Records.
  • Logs Recording Access to and Updating of PHI.
  • IT Security System Reviews (including new procedures or technologies implemented).

Additional Considerations

Health insurance providers must not only comply with HIPAA retention rules, but also the Financial Industry Regulation Authority’s legislation. Employers, instead, must abide by the Employee Retirement Income Security Act and the Fair Labor Standards Act. These may require the indefinite retention of records.

The Centres for Medicare and Medicaid Services (CMS) also mandates that healthcare providers must keep records of cost reports for at least five years after the closure of the report.

Thus, when HIPAA stipulates that medical records must be kept “for as long as necessary”, it means that healthcare providers must instead look to the relevant Statute of Limitations for their state, alongside any additional bodies listed above.