HIPAA Record Retention Requirements

If Business Associate Agreements have no fixed time limits, the documentation has to be retained for six years after the business relationship comes to an end. While in theory this could mean indefinitely, it is a best practice for Covered Entities to review Business Associate Agreements annually and amend or modified as necessary.  Once a Business Associate Agreement is amended or modified, the previous Business Associate Agreement has to be retained for a minimum of six years.

You can find a state-by-state guide to retention periods for medical records on the Office of the National Coordinator for Health Information Technology website. The currently available medical record retention laws by state (PDF) only lists the retention periods for doctors and hospitals - and was produced in 2009, so there may be updates to some retention periods for medical records.

Additionally, other time periods may apply to medical facilities, healthcare providers, or healthcare data covered by other federal or state regulations. For example, the Records Control Schedule for healthcare providers covered by the Veterans Health Administration stipulates retention periods for certain types of administrative data. It is important to note that in all cases in which two retention periods apply, the longer retention period should be adhered to.

Record retention requirements do differ between Medicare and non-Medicare providers inasmuch as the Centers for Medicare & Medicaid Services (CMS) stipulate that medical records should be retained for a minimum of five years (generally in line with state requirements, and that accounting records and evidence of accounting procedures should be retained for a minimum of ten years (see 42 CFR § 422.504).

When retention periods end, medical records must be disposed of to prevent unauthorized access to or disclosure of PHI. Paper records should be shredded, burned, or pulped, and policies developed for “the disposition of electronic PHI and/or the hardware or electronic media on which it is stored”. CMS provides advice on the compliant disposal of ePHI in its HIPAA Security Guidance (PDF).

Covered Entities can use a third party to dispose of Protected Health Information, but because the third party then has access to the PHI, they become a Business Associate and have to comply with the HIPAA rules for record disposal. It will also be necessary for the Covered Entity and third party to sign a Business Associate Agreement.

The difference between HIPAA data retention and HIPAA record retention is an implied difference inasmuch as “data” can be implied to mean individually identifiable health information, while “record” can be implied to mean HIPAA-related documentation. The text of the Administrative Simplification provisions uses neither of these terms, so there is no official distinction between HIPAA data retention and HIPAA record retention.

The HIPAA log retention requirements are limited inasmuch “logs” are only referenced twice in the Administrative Simplification provisions – once in the Security Rule and once in the Breach Notification Rule. With regards to these two references:

The Administrative Safeguards of the Security Rule require Covered Entities and Business Associates to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

The Notification Requirements of the Breach Notification Rule require Covered Entities to maintain a log of breaches of unsecured PHI that affect fewer than 500 individuals to notify HHS’ Office for Civil Rights of these breaches in one report at the end of the year.

Both audit logs and breach notification logs must be retained for at least six years from the date they are last used. Therefore, if a breach notification log was last used to notify HHS of data breaches on December 31, 2021, the log must be retained until at least December 31. 2027. The same applies to any other HIPAA-related document that is locally referred to as a log – for example the disciplinary record of a member of a Covered Entity’s workforce.

Some sources claim HIPAA data retention is 7 years when their audience is healthcare providers operating in a state with medical data retention requirements of 7 years (i.e., California, Pennsylvania, Indiana, etc.). It is important to be aware there is a difference between medical data retention requirements (which are not covered by HIPAA) and HIPAA documentation retention requirements – for which the retention period is six years from when the document was last in force.

There is no one-size-fits-all HIPAA data retention policy template for two reasons. The first is that the term “HIPAA data” is often used to refer to individually identifiable health information. In this case, HIPAA does not stipulate retention requirements for individually identifiable health information as these are mandated by each state (and often differ between states).

The second reason is that different types of Covered Entities and Business Associates use many different types of documents. If every type of document was included in a HIPAA data retention policy template, most Covered Entities and Business Associates would use only a fraction of the template because there would be so many documents that were irrelevant to them.

There are no HIPAA backup retention requirements that state how long backups should be retained. However, if HIPAA documentation is being backed up before being removed from a system, and the documentation is not being restored onto another system, the media on which documentation is backed up must be retained for six years after the documentation was last in force.

In this scenario, it is important the media onto which HIPAA documentation is capable of maintaining the data for a minimum of six years. Some storage devices have a limit on the duration of the “charge” that can be held by the cells; and, in some cases, this can be as short as six to seven years – after which it will be impossible to recover backed up data.

HIPAA related files must be saved for six years after any documentation in the files was last effective. This means that if a policy was created in 2018, and it was effective until 2021, the policy document must be retained until 2027 (rather than 2024). Note, this does not apply to individually identifiable health information maintained in HIPAA related medical files, which is subject to state-by-state data retention requirements.