HIPAA’s Records Retention Requirements

HIPAA’s Records Retention Requirements

A lot of covered entities do not fully understand the requirements of HIPAA medical records retention and other records retention. However, the retention requirements that HIPAA implements are fairly basic. This article hopes to shed light on this topic.

The first thing entities need to understand is “there is no HIPAA medical records retention period.” The Privacy Rule does not require a specific length of time to retain or keep medical records. Each state can stipulate this requirement of medical records retention in its laws. Hence, the responsibility to know the state laws regarding the retention period of medical records rests on every Covered Entity and Business Associate. As a general rule, the length of retention periods depends on the types of records and the owner of the records (if minors, for example). Below are some of the medical records retention policies imposed in certain states.

  • Florida – Medical records are retained for five years by doctors. Hospitals need to retain medical records for seven years.
  • Nevada – Medical records are retained for at least five years by healthcare providers. If a minor owns the medical records, retention of the records is required until the patient is 23 years old.
  • North Carolina – Medical records are retained by hospitals for 11 years from the day the patient was discharged. The medical records of minors are kept until the patient is 30 years old.

HIPAA does not insist on any medical records retention requirement, but there is a required retention period for other HIPAA-related documents. As per CFR §164.316(b)(1), covered entities need to retain copies of the policies and procedures they implement to comply with HIPAA. Records or logs of any action, activity or assessment must be retained as well.

According to CFR §164.316(b)(2)(i), certain documents must be retained for no less than six years from the time of creating the document. For policies, retention period starts from when it was last in effect. Hence, a policy that is implemented for 3 years prior to revision must have a copy of its original policy retained for at least 9 years since its creation.

The following documents are subject to the HIPAA records retention requirements. Depending on the nature of business, a covered entity or business associate may or may not need to retain copies of these documents.

  • Authorizations for PHI disclosure
  • Business Associate Agreements
  • Complaint and resolution documentation
  • Disaster recovery and contingency plans
  • Employee sanction policies
  • Incident and breach notification documentation
  • IT security system reviews (including new procedures or technologies implemented)
  • Information security and privacy policies
  • Logs recording access to and updating of PHI
  • Notices of privacy practices
  • Physical security maintenance records
  • Risk assessments and risk analyses

Besides what has been mentioned, there are other record retention requirements below:

  • Insurance companies should know the FINRA requirements.
  • Medicare managed care program providers need to retain records for 10 years.
  • Healthcare providers must know the retention requirements of the Centers for Medicare & Medicaid Services (CMS). At least 5 years retention period is required for cost reports after its closure.
  • Employers should understand the record retention requirements of the Employee Retirement Incomes Security Act and Fair Labor Standards Act.
  • Covered entities and business associates may need documentation in cases of personal injury or breach of contract disputes. Because of this, documentation must be retained as long as necessary, which depends on the relevant Statute of Limitations in force in the state wherein the entity is operating.