Does the HIPAA Retention Period apply to medical records?

No, the HIPAA Retention Period does not apply to medical records. The length of time these must be stored falls under the remit of State law. Rather, the HIPAA Retention Period applies to non-medical HIPAA documents such as PHI Authorization forms or Business Associate Agreements.

Does the Retention Period apply to Business Associates?

The retention requirements stipulated under the Privacy Rule applies to both HIPAA Covered Entities (CEs) and their business associates (BAs). This also means that any protections required of CEs are also required of BAs; these protections will be stipulated in the Business Associate Agreement (BAA).

How long should ongoing Business Associate Agreements be retained?

If a BAA is still in effect, it must be retained indefinitely. However, if it has been modified, then the previous outdated BAA must retained for at least six years, in accordance with the HIPAA retention period.

How should documents be disposed of after the Retention Period expires?

This will depend on how the documents have been stored. If the records are electronic, then the Department for Health and Human Services recommends that the PHI is purged, or that the hardware on which it is stored is pulverized, melted, or incinerated. PHI that is stored physically should be shredded, burned, or otherwise rendered illegible.

HIPAA Data Retention

HIPAA data retention requirements mandate that HIPAA Covered Entities and Business Associates retain required HIPAA documentation for six years from the date of creation or the date it last was in effect, while medical record retention periods are primarily governed by state law and other federal requirements rather than HIPAA.

The six year retention requirement applies to documentation required by the HIPAA Privacy Rule and HIPAA Security Rule, including policies and procedures, privacy notices and related acknowledgments when maintained as documentation, complaint documentation, actions and activities required to be documented, risk analysis documentation, risk management decisions, sanction documentation, and records that show compliance with administrative requirements. Organizations should retain supporting artifacts that substantiate decisions, such as training completion records, access review evidence, incident response records, and breach risk assessment materials, when those artifacts are part of the documented actions and activities maintained for compliance purposes.

HIPAA does not set a general retention period for patient medical records or for all electronic protected health information. A covered entity or business associate should align medical record retention and clinical documentation retention with applicable state record retention laws, Medicare or Medicaid program requirements, professional licensing rules, accreditation obligations, and contractual obligations. Retention schedules should also account for litigation holds and government investigation preservation duties when a dispute, audit, or enforcement action is reasonably anticipated.

Retention controls should address both confidentiality and integrity through the retention period and through disposal. Records retained for compliance should be stored in a manner that preserves their reliability, supports retrieval, and restricts access to authorized personnel. For electronic records, retention practices should include access control, audit capability where applicable, backup and restoration practices consistent with the organization’s contingency planning, and controls that prevent unauthorized alteration or destruction.

Disposal practices should ensure that protected health information and compliance documentation are destroyed or rendered unreadable in a manner consistent with the organization’s policies and the HIPAA Security Rule safeguards for electronic protected health information. Organizations should document retention schedules, document destruction procedures, and the approvals and exceptions applied when retention is extended for operational needs, investigations, or legal requirements.

A defensible HIPAA retention program links each category of required documentation to an owner, a retention period, a storage location, access restrictions, and a disposal method, and it preserves evidence that the organization maintained required HIPAA documentation for the full six year period.

HIPAA Regulatory Text About Data Retention Requirements

45 CFR 164.530(j)(2) is relevant because it establishes the HIPAA Privacy Rule documentation retention period that applies to required privacy policies, procedures, and other required written records. The regulation states, “(2) Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.” This text is relevant because HIPAA data retention requirements under the HIPAA Privacy Rule are directed to retention of required documentation rather than a general medical record retention period.

45 CFR 164.316(b)(2)(i) is relevant because it establishes the HIPAA Security Rule documentation retention period for security policies, procedures, and required security records, including records of actions, activities, and assessments that the HIPAA Security Rule requires to be documented. The regulation states, “(i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.” This text is relevant because HIPAA Security Rule retention obligations attach to security documentation and do not create a general retention period for all electronic protected health information.

What are the HIPAA Data Retention Requirements?

HIPAA Regulatory Text About Data Retention Requirements

James Keogh