HIPAA record retention requirements is understood to relate to two separate but similar retention requirements: those for HIPAA medical record retention and those for HIPAA record retention. This similarity has led to some uncertainty. Below we will try to explain which records are required to be kept for HIPAA compliance and what records covered entities may want to keep for other reasons.
HIPAA retention requirements are not overly complicated. Uncertainty arises in relation to the standard of the Privacy Rule relating to individual´s rights to request an accounting of disclosures. The standards requires covered and entities and business associates to provide an account of certain uses and disclosures of PHI for the previous six years, but HIPAA does not define a retention period for PHI.
HIPAA Does Not Define a Retention Period for HIPAA Medical Records
The Privacy Rule does not say how long medical records are to be kept quite simply because HIPAA does not include a medical record retention period. This is because state laws take precedence over HIPAA in this instance. Records must be retained according to individual state laws and not a standard federally mandated period. Different states have different requirements for different types of information. We provide examples below:
In Florida, physicians must keep medical records for five years after the last patient contact, but hospitals must keep them for seven.
In Nevada, healthcare providers are obligated to keep medical records for at least five years, or – for minors – until the patient is twenty-three years old.
In North Carolina, hospitals must keep patients’ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient is thirty.
What are the HIPAA Retention Requirements?
HIPAA does not have retention requirements for medical records but does have requirements for other documents related to HIPAA. This is outlined in CFR §164.316(b)(1), which states covered entities must “maintain the policies and procedures implemented to comply [with HIPAA]” and records of any “action, activity or assessment”.
Under CFR §164.316(b)(2)(i), information must be retained “for 6 years from the date of its creation or [for policies] the date when it last was in effect, whichever is later”. This means that for a policy created in 2010, which was revised in 2013, a copy of the original 2010 policy would need to be kept until 2019, six years after the revision or replacement date.
Many documents need to be retained under HIPAA. While it varies depending on the activity of the covered entity or business associate, the most common to retain are:
- Notices of Privacy Practices.
- Authorizations for the Disclosure of PHI.
- Risk Assessments and Risk Analyses.
- Disaster Recovery and Contingency Plans.
- Business Associate Agreements.
- Information Security and Privacy Policies.
- Employee Sanction Policies.
- Incident and Breach Notification Documentation.
- Complaint and Resolution Documentation.
- Physical Security Maintenance Records.
- Logs Recording Access to and Updating of PHI.
- IT Security System Reviews (including new procedures or technologies implemented).
Other Aspects to Consider With HIPAA Record Retention
As we noted above, HIPAA retention requirements are not overly complicated. Depending on your business, you may be subject to other retention requirements. Insurance companies may need to explore their obligations under FINRA and employers should be aware of record retention requirements under the Employee Retirement Income Security and Fair Labor Standards Acts. Sometimes, records need to be retained indefinitely.
Cost reports sent by healthcare providers to the Centers for Medicare & Medicaid Services (CMS) must be retained for at least five years after the closure of the report. Medicare managed care program providers must retain these records for ten years. Even though there will be some overlap between these and HIPAA record retention requirements, they must be stored separately for retrieval reasons.
Covered entities and business associates are advised to retain information related to personal injury or breach of contract claims for as long as the Statute of Limitations remains in force for that affair in the relevant state. This is often longer than HIPAA record retention periods.