DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Various laws and regulations require covered entities and business associates to store documents, including medical records, for specific time frames. This article covers HIPAA record retention requirements.
What are HIPAA Medical Record Retention Requirements?
One of the most stubbornly persistent HIPAA myths is that HIPAA requires providers (or business associates who store medical records for those providers) to store patient medical records for a specific length of time (e.g., six years, ten years). There is no such requirement. HIPAA has no medical record retention requirement. Other laws and regulations (e.g. state law, Medicare, Medicaid) may impose medical record retention requirements (e.g., "Patient medical records must be stored for seven years"), but HIPAA itself does not.
What Records DOES HIPAA Require Covered Entities to Retain?
The HIPAA Privacy Rule requires that a covered entity document the policies and procedures it implements to comply with HIPAA. The Privacy Rule also requires that these policies and procedures be maintained for a minimum of six years from when these policies and procedures were created, or from when they were last in effect, whichever is later.
The HIPAA Privacy Rule imposes record retention requirements with respect to documents other than policies and procedures. If, under the Privacy Rule, a communication is required to be in writing, a covered entity must maintain the writing (or an electronic copy of it) as documentation. If an action, activity, or designation is required under the Privacy Rule to be documented, covered entities must maintain a written or electronic record of that action, activity, or designation.
What are Examples of Communications, Actions, Activities, and Designations That Must be in Writing?
Examples of communications, actions, activities, and designations that must be in writing include:
1. Disaster Recovery and Contingency Plans.
2. Risk Assessments and Risk Analyses.
3. Authorizations for Disclosures of PHI.
4. Notices of Privacy Practices.
5. Information contained in designated record sets. A designated record set is a group of records maintained by or for a covered entity that comprises either the medical records and billing records about individuals maintained by or for a covered healthcare provider, OR, other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals, whether or not the records have been used to make a decision about the individual requesting access. The term "record" in "designated record set" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
6. Business Associate Agreements.
7. Information Security and Privacy Policies.
8. Employee Sanction Policies.
9. Incident and Breach Notification Documentation.
10. Complaint and Resolution Documentation.
11. Physical Security Maintenance Records.
12. Logs Recording Access to and Updating of PHI.
13. Security System Reviews (including new procedures or technologies implemented).
What are the HIPAA Security Rule Record Retention Requirements?
The HIPAA Security Rule provides: If an action, activity, or assessment is required by the HIPAA Security Rule to be documented, covered entities and business associates must maintain a written (which may be electronic) record of the action, activity, or assessment. Covered entities and business associates are required to maintain the written record/documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
Here are examples of actions, activities, and assessments that must be documented:
Risk Assessments and Risk Analyses.
Disaster Recovery and Contingency Plans.
Business Associate Agreements.
Information Security and Privacy Policies.
Employee Sanction Policies and Related Documentation
Incident and Breach Notification Documentation.
Complaint and Resolution Documentation.
Physical Security Maintenance Records.
Logs Recording Access to and Updating of PHI.
IT Security System Reviews (including new procedures or technologies implemented)
If a business associate has email messages that pertain to any of these subjects, documentation and storage of that email message may be required.
For example, say a business associate has an email that states: “Dear employee: Attached is our company’s HIPAA Employee Sanctions Policy. Please read it and sign.” The business associate would want to maintain that email (which is evidence of compliance) for six years. Another example: A business associate sends an individual breach notification letter by email to someone affected by a breach. The letter must be stored/maintained for six years.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article