A large part of data privacy concerns how long data can be stored after use. This is also covered by the HIPAA, which stipulates in its rules how long data can be retained after it has been collected and used. Individual States may have their own rules and legislation regarding this issue, but for the purpose of this article we will only discuss HIPAA.
What is the HIPAA Retention Period?
First, it is important to clarify that HIPAA does not set an “expiry date” for medical records. Instead, CEs and BAs should look to the State guidelines on this issue. These are the rules that are binding when organizations are retaining medical records, not anything from HIPAA. Each State has a different requirement: Nevada, for example, requires medical records are held for at least five years (or until the patient is twenty-three); in New York, they must be held for six years (or until that patient’s twenty-first birthday).
That is not to say that HIPAA has no retention policy at all. Rather, instead of concerning itself with medical records – the domain of State law – it applies to other healthcare-related documents. Such documents are listed below, though this is not an exhaustive list:
- Notices of Privacy Practices.
- Authorizations for the Disclosure of PHI.
- Risk Assessments and Risk Analyses.
- Disaster Recovery and Contingency Plans.
- Business Associate Agreements.
- Information Security and Privacy Policies.
- Employee Sanction Policies.
- Incident and Breach Notification Documentation.
- Complaint and Resolution Documentation.
- Physical Security Maintenance Records.
- Logs Recording Access to and Updating of PHI.
- IT Security System Reviews (including new procedures or technologies implemented).
Under the Privacy Rule, the above documents must be securely retained for “6 years from the date of its creation or the date when it last was in effect, whichever is later.” The latter is most appropriate for HIPAA-related policies, such as privacy policies, that may be updated regularly. Thus, if a policy was first implemented in 2013 and then updated in 2015, the policy document would need to be kept at least until 2021 (eight years after its start date).
How should documents be stored?
It should be noted that all documents should be protected from unauthorized access, even if they are “just” in storage. This is part of the Privacy Rule: according to the Department for Health and Human Service’s website, “The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.”
Thus, as well as advocating for general security, we also strongly recommend that CEs and BAs employ a secure storage solution when storing all medical or non-medical HIPAA documentation.