HIPAA Data Retention Requirements

HIPAA data retention requirements are very simple. HIPAA needs covered entities and business associates to protect and retain the data of individual for at least 6 years. Though HIPAA does not require covered entities and business associates to store medical data for 6 years but each state in U.S has their own law for the medical data protection. Here we will let you know what records should be protected by covered entities and for how long.  

Firstly, there is no HIPAA medical records retention period. HIPAA does not state any guideline in its regulation saying for how long medical records must be retained under Privacy rule. But it does not mean that medical records should not be retained as each state has their own rules for regarding medical data retention period. Each covered entity and business associate should follow these rules set by states else they can put heavy fines and penalties on the organization.  With each state there are different standards sets for retention periods of medical records. 

Although HIPAA does not lay down any retention requirement for medical records, but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

What Documents are Subject to HIPAA Data Retention Requirements?

Under HIPAA regulations, covered entities must retain the following data for at least 6 years from the date of creation or the last effective date. If the OCR of department of HHS audits covered entities or business associate, Office for Civil Rights can ask organization to show these records for inspection. 

  1. A written or electronic record of a designation of an organization as a covered entity or business associate. 
  2. Information security and privacy policies and procedures implemented to comply with HIPAA.
  3. All documented settings, activities and assessments required by Health Insurance Portability and Accountability Act.  
  4. All data use agreements and other forms supporting HIPAA compliance.
  5. Incident and Breach Notification Documentation
  6. Physical Security Maintenance Records.
  7. Logs Recording Access to and Updating of PHI.
  8. Employee Sanction Policies.
  9. Disaster Recovery and Contingency Plans.
  10. Designated record sets that are subject to access by individuals.
  11. IT Security System Reviews
  12. Logs Recording Access to and Updating of PHI.
  13. Business Associate Agreements.

© All Right Reserved by HIPAA Data Retention