HIPAA Retention Requirements
The HIPAA retention requirements are that certain types of documents must be maintained for six years from the date of their creation or from the date on which they were last in effect, whichever is later. The reason why it is necessary to clarify which documents should be retained is to prevent confusion between the HIPAA retention requirements and state medical record retention requirements.
This article aims to clarify what records should be retained under HIPAA compliance rules, and what other data retention requirements Covered Entities and Business Associates may have to consider.
Throughout the Administrative Simplification Regulations of HIPAA, there are several references to HIPAA data retention. These generally fall into two categories – HIPAA medical records retention and HIPAA records retention requirements. The distinction between the two categories is that there are no HIPAA medical records retention requirements, but requirements exist for other documentation.
Read about email retention requirements in our recent HIPAA compliant email retention solution review
Get the FREE
HIPAA Checklist
Discover everything you need
to become HIPAA compliant
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
One of the reasons the lack of HIPAA medical records retention requirements can be confusing is that, under the Privacy Rule, individuals can request access to and amendment of Protected Health Information “for as long as Protected Health Information is maintained in a designated record set”. However, Covered Entities and Business Associates are required to provide an accounting of disclosures of Protected Health Information for the six years prior to a request.
Why There is No HIPAA Medical Records Retention Period
The reason the Privacy Rule does not stipulate how long medical records should be retained is that there is no mandated HIPAA medical records retention period. This is because each state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance Portability and Accountability Act – HIPAA does not pre-empt state data retention laws.
Consequently, each Covered Entity and Business Associate is bound by state law with regard to how long medical records have to be retained rather than any specific HIPAA medical records retention period. States’ retention periods can vary considerably depending on the nature of the records and to whom they belong. For example:
- In Arkansas, adults´ hospital medical records must be retained for ten years after discharge but master patient index data must be retained permanently.
- In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must maintain them for seven years.
- In Georgia, doctors have to retain any evaluation, diagnosis, prognosis, laboratory report, or biopsy slide in a patient’s record for ten years from the date it was created.
- In Nevada, healthcare providers are required to maintain medical records for a minimum of five years, or – in the case of a minor – until the patient has reached twenty-three years of age.
- In North Carolina, hospitals must maintain patients’ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient has reached thirty years of age.
What HIPAA Retention Requirements Exist for Other Documentation?
Although there are no HIPAA retention requirements for medical records, there are requirements for how long other HIPAA-related documents should be retained. These requirements are covered in 45 CFR 164.316 and 45 CFR 164.530 – both of which state Covered Entities and Business Associates must document policies and procedures implemented to comply [with HIPAA] and records of any action, activity, or assessment with regards to the policies and procedures, or sufficient to meet the burden of proof under the Breach Notification Rule.
Both standards also stipulate documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. For example, if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation. These HIPAA data retention requirements preempt state laws if they require shorter periods of document retention.
The list of documents subject to the HIPAA retention requirements depends on the nature of the business conducted by the Covered Entity or Business Associate. The following list is an example of the most common types of documents subject to the HIPAA document retention requirements; but, for example, healthcare clearinghouses do not issue Notices of Privacy Practices, so would not be required to retain copies of them:
- Notices of Privacy Practices.
- Authorizations for Disclosures of PHI.
- Risk Assessments and Risk Analyses.
- Disaster Recovery and Contingency Plans.
- Business Associate Agreements.
- Information Security and Privacy Policies.
- Employee Sanction Policies.
- Incident and Breach Notification Documentation.
- Complaint and Resolution Documentation.
- Physical Security Maintenance Records.
- Logs Recording Access to and Updating of PHI.
- IT Security System Reviews (including new procedures or technologies implemented).
What Else to Consider in Addition to HIPAA Record Retention
It was mentioned above the HIPAA retention requirements can be confusing; and when some other regulatory requirements are taken into account, this may certainly be the case. This is because – for example – in addition to HIPAA records retention, health insurance companies may be subject to the complexities of FINRA, while employers that are Covered Entities may have to comply with the record retention requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. In some cases, this can mean retaining records indefinitely.
The Centers for Medicare & Medicaid Services (CMS) requires records of healthcare providers submitting cost reports to be retained for a period of at least five years after the closure of the cost report, and that Medicare managed care program providers retain their records for ten years. Providers and suppliers need to maintain medical records for each Medicare beneficiary that is their patient. Although much of the documentation supporting CMS cost reports will be the same as those required for HIPAA record retention purposes, the two sets of records must be kept separate for retrieval purposes.
For all Covered Entities and Business Associates, it is recommended any documentation that may be required in a personal injury or breach of contract dispute is retained for as long as necessary. “As long as necessary” will depend on the relevant Statute of Limitations in force in the state in which the entity operates. In many cases, Statutes of Limitation are longer than any HIPAA record retention periods.
HIPAA Record Retention and Destruction/Disposal
When the required retention periods for medical records and HIPAA documentation have been reached, HIPAA requires all forms of PHI to be destructed or disposed of securely to prevent impermissible disclosures of PHI. The Privacy and Security Rules do not require a particular disposal method and the HHS recommends Covered Entities and Business Associates review their circumstances to determine what steps are reasonable to safeguard PHI through destruction and disposal.
HHS also suggests some secure methods for destructing or disposing of PHI once the HIPAA data retention requirements have expired. With regards to paper records, the agency suggests shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed, while for other physical PHI such as labeled prescription bottles, HHS suggests using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
With regards to electronic PHI, HIPAA requires that Business Associates return or destroy all PHI at the termination of a Business Associate Agreement. In order to comply with this standard, HHS suggests clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding) – methods that could also be used by a Covered Entity when PHI or documentation is no longer subject to the HIPAA retention requirements.
HIPAA Retention Requirements – FAQS
How long does a covered entity have to retain a patient authorization for the disclosure of PHI?
A Covered Entity has to retain patient authorization for the disclosure of PHI for six years. However, if the document is part of the patient´s medical record, it is subject to the state´s medical record retention requirements – which could be longer. Furthermore, if the covered entity operates in a state in which the Statute of Limitations for private rights of action exceeds six years, it will be necessary to retain the document until the Statute of Limitations has expired.
Why are IT security system reviews considered HIPAA-related documents?
IT security system reviews are considered HIPAA-related documents because under the technical safeguards of the HIPAA Security Rule, covered entities are required to enforce IT security measures such as access controls, password policies, automatic log-off, and audit controls regardless of whether systems are being used to access ePHI. These measures would ordinarily be included in an IT security system review and the reviews would have to be retained for a minimum of six years.
How should covered entities and business associates dispose of HIPAA-related documentation?
Covered entities and business associates should dispose of HIPAA-related documentation in the same way as HHS recommends disposing of PHI. For paper records, this means “shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed”. For ePHI and documentation maintained on electronic media, HHS recommends clearing or purging the data, or destroying the media by pulverization, melting, or incinerating.
Can covered entities and business associates be fined for the improper disposal of HIPAA-related documentation?
There have been no cases of a covered entity or business associate being fined for the improper disposal of HIPAA-related documentation, there have been multiple penalties issued by HHS for the improper disposal of PHI. In case a document contains both HIPAA-related documentation and PHI (for example, a patient authorization), it is in the organizations’ best interests to train staff on the correct manner to dispose of all documentation relating to healthcare activities.
What are the Administrative Simplification Regulations of HIPAA?
The Administrative Simplification Regulations of HIPAA contain the Rules and standards developed by the Department of Health & Human Services (HHS) to comply with Title II of HIPAA and Subtitle D of the HITECH Act. The Administrative Simplification Regulations not only include the Privacy, Security, and Breach Notification Rules, but also the General Administrative Requirements, the standards for covered transactions, and the Enforcement Rule – which describes how HHS conducts compliance investigations.
When does HIPAA pre-empt state data retention laws?
HIPAA pre-empts state data retention laws when a state has a law requiring the retention of policy documents for (say) five years, but some of those documents are subject to the HIPAA data retention requirements (i.e., complaint and resolution documentation). In such cases, the documents subject to HIPAA data retention requirements must be retained for a minimum of six years rather than five.
If HIPAA states PHI has to be retained for six years, but a state law requires medical records to be retained for ten years, which law takes precedence?
If HIPAA states PHI has to be retained for six years, but a state law requires medical records to be retained for ten years neither law takes precedence over the other because the two laws are relating to different types of information.
The HIPAA data retention requirements only apply to documentation such as policies, procedures, assessments, and reviews. Covered Entities should comply with the relevant state law for medical record retention.
However, when the medical record retention period has expired, and medical records are destroyed, HIPAA stipulates how they should be destroyed to prevent impermissible disclosures of PHI. The same processes should also be used for the destruction of HIPAA documentation.
What is the burden of proof under the Breach Notification Rule?
The burden of proof under the Breach Notification Rule relates to impermissible uses or disclosures of unsecured PHI which may qualify as a data breach. Under the Breach Notification Rule, Covered Entities and Business Associates have the burden of proof to demonstrate that an impermissible use or disclosure of unsecured PHI did not constitute a data breach if not notifying it to affected individuals and HHS’ Office for Civil Rights.
If such an event does constitute a notifiable data breach, Covered Entities, and Business Associates also have the burden of proof to demonstrate that all required notifications have been made (i.e., to the individual, to HHS´ Office for Civil Rights, and – when necessary – to the media).
How long is it necessary to retain authorizations for disclosures of PHI?
Authorizations for disclosures of PHI not permitted by the Privacy Rule should include an expiration date or an expiration event that relates to the individual or the purpose of the disclosure (i.e., “end of research study”). The six-year HIPAA retention period finishes six years after the expiration date or event rather than six years after the authorization is signed.
What is the difference between HIPAA record retention and HIPAA data retention?
The difference between HIPAA record retention and HIPAA data is that the term HIPAA record retention is most commonly associated with HIPAA documentation (risk assessments, policies, security reviews, patient access requests, etc.), while the term HIPAA data retention most often relates to PHI – for which there are no HIPAA retention requirements. The retention requirements for PHI are individually mandated by each state.
Are there any HIPAA medical record retention requirements?
There are no HIPAA medical record retention requirements because each state sets its own retention requirements for medical records. State-by-state requirements can be found in this PDF. However, when medical records reach the end of the retention period, the medical records have to be disposed of – or destructed – in compliance with HIPAA.
For medical records stored on paper, this means “shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed”. For medical records stored electronically, HHS recommends clearing or purging the data, or destroying media by pulverization, melting, or incinerating.
Why do some articles assert HIPAA data retention is 7 years, rather than 6 years?
Some articles assert HIPAA data retention is 7 years, rather than 6 years, when they confuse the HIPAA retention requirements with the medical record requirements mandated by a particular state. For example, California, Indiana, and Pennsylvania are among a number of states that require doctors and/or hospitals to retain medical records for a minimum of 7 years.
The HIPAA retention requirements are always 6 years after a HIPAA-related document is last in force. This means that if a policy is created to comply with HIPAA in 2010, and is in force until 2020 (when it is replaced with a new policy), the original policy document has to be retained for 16 years – the ten years it was in force and the six years following.
What are the CMS record retention requirements of 10 years?
The CMS record retention requirements of 10 years apply to Medicare managed care program providers – such as providers of Medicare Advantage plans. Program providers, rather than healthcare organizations that provide services for program participants, have to maintain patient records for a minimum of ten years unless longer state retention requirements exist.
What are the PHI retention requirements under HIPAA?
There are no PHI retention requirements under HIPAA because PHI is maintained in “designated record sets” of payment and medical records, and each state sets its own medical record retention period. However, when the state-mandated medical record retention period comes to an end, PHI must be destroyed or disposed of in compliance with HIPAA.
What are the HIPAA log retention requirements?
The HIPAA log retention requirements are that if a log, note, or record relates to a HIPAA policy or procedure, the log, note, or record must be retained for six years from the date the content was last used or was last effective.
For example, the Security Rule requires Covered Entities and Business Associates to regularly review records of information system activity. A review of this nature would involve analyzing access reports and audit logs. As the access reports and audit logs are key to any new procedures implemented as a result of the review, they must be retained for at least six years from the date of the next review when they will be replaced with more up-to-date access reports and audit logs.
Where can I find a HIPAA data retention policy template?
There is no such thing as a HIPAA data retention policy template because there is no such thing as “HIPAA data”. The term is often mistakenly used to refer to PHI because the Privacy Rule protects PHI. However, each state applies its own data retention requirements for medical records, so medical data retention policies should comply with state laws rather than HIPAA.
What are the HIPAA backup retention requirements?
There are no HIPAA backup retention requirements inasmuch as HIPAA does not dictate how long backups should be retained. However, if data is being backed before being permanently removed from a system (for example, to free up storage space), and the data contains HIPAA-related documentation, the backup will have to be retained for six years after the HIPAA-related documentation was last used or was last effective.
In this scenario, it is important that the backup media is protected by the physical safeguards of the Security Rule to prevent unauthorized access. It is also important to note that some backup media have limits on how long they are able to retain data. For example, data maintained on USB drives can deteriorate within five years – making them unsuitable for saving HIPAA documentation as it will not be possible to recover the documentation when required.
Get the FREE
HIPAA Checklist
Discover everything you need
to become HIPAA compliant
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
