Tagged in: HIPAA medical records


Clarifying the HIPAA Retention Requirements

HIPAA retention requirements are very simple. In this article we will discuss what records needs to be protected and for how long.

The first thing to remember is that there is no HIPAA medical records retention period. It is not clearly stated for how long medical records must be retained under Privacy rule. Each state has their own requirement regarding the retention of medical records in its laws. It is the duty of covered entities and business associates to known the laws of the state regarding the retention period of medical records.

Eventually, the retention periods are different from each type of record and who actually owns them. Below we have mentioned the medical records retention policies of some states:-

Florida:- In Florida, Physicians should maintain the medical records for at least 5 years and hospitals should maintain medical records for 7 years.

Nevada:- In Nevada, health care organizations must protect the medical records for at least 5 years. Medical records for minor should be kept until the patient reaches 23 years of age.

North Carolina:- In North Carolina, it is mandatory for hospitals to keep the medical records for 11 years from the date of the patient’s discharge. The law in North Carolina also states that Medical records for minor should be kept until the patient reaches 30 years of age.

Although HIPAA does not lay down any retention requirement for medical records, but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

Below we have mentioned few examples of most typical list of documents subject to the HIPAA retention requirements. A Covered Entity or Business Associate may or may not be required to have or retain copies of them depending on its nature of business:

  1. Permissions for the Disclosure of PHI.
  2. Business Associate Agreements
  3. Disaster Recovery and Contingency Plans
  4. Details of Information Security and Privacy Policies.
  5. Incident and Breach Notification Documentation
  6. Information on Complaint and Resolution.
  7. IT Security System Reviews (including new procedures or technologies implemented)
  8. Details of Access to and Updating of PHI.( Logs Recording Access to and Updating of PHI)
  9. Physical Security Maintenance Records
  10. Audits of IT Security Systems