HIPAA Data Retention

A large part of data privacy concerns how long data can be stored after use. This is also covered by the HIPAA, which stipulates in its rules how long data can be retained after it has been collected and used. Individual States may have their own rules and legislation regarding this issue, but for the purpose of this article we will only discuss HIPAA.

What is the HIPAA Retention Period?

First, it is important to clarify that HIPAA does not set an “expiry date” for medical records. Instead, CEs and BAs should look to the State guidelines on this issue. These are the rules that are binding when organizations are retaining medical records, not anything from HIPAA. Each State has a different requirement: Nevada, for example, requires medical records are held for at least five years (or until the patient is twenty-three); in New York, they must be held for six years (or until that patient’s twenty-first birthday).

That is not to say that HIPAA has no retention policy at all. Rather, instead of concerning itself with medical records – the domain of State law – it applies to other healthcare-related documents. Such documents are listed below, though this is not an exhaustive list:

  • Notices of Privacy Practices.
  • Authorizations for the Disclosure of PHI.
  • Risk Assessments and Risk Analyses.
  • Disaster Recovery and Contingency Plans.
  • Business Associate Agreements.
  • Information Security and Privacy Policies.
  • Employee Sanction Policies.
  • Incident and Breach Notification Documentation.
  • Complaint and Resolution Documentation.
  • Physical Security Maintenance Records.
  • Logs Recording Access to and Updating of PHI.
  • IT Security System Reviews (including new procedures or technologies implemented).

Under the Privacy Rule, the above documents must be securely retained for “6 years from the date of its creation or the date when it last was in effect, whichever is later.” The latter is most appropriate for HIPAA-related policies, such as privacy policies, that may be updated regularly. Thus, if a policy was first implemented in 2013 and then updated in 2015, the policy document would need to be kept at least until 2021 (eight years after its start date).

How should documents be stored?

It should be noted that all documents should be protected from unauthorized access, even if they are “just” in storage. This is part of the Privacy Rule: according to the Department for Health and Human Service’s website, “The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.”

Thus, as well as advocating for general security, we also strongly recommend that CEs and BAs employ a secure storage solution when storing all medical or non-medical HIPAA documentation.

Data Retention: FAQ

Does the HIPAA Retention Period apply to medical records?

No, the HIPAA Retention Period does not apply to medical records. The length of time these must be stored falls under the remit of State law. Rather, the HIPAA Retention Period applies to non-medical HIPAA documents such as PHI Authorization forms or Business Associate Agreements.

Does the Retention Period apply to Business Associates?

The retention requirements stipulated under the Privacy Rule applies to both HIPAA Covered Entities (CEs) and their business associates (BAs). This also means that any protections required of CEs are also required of BAs; these protections will be stipulated in the Business Associate Agreement (BAA).

How long should ongoing Business Associate Agreements be retained?

If a BAA is still in effect, it must be retained indefinitely. However, if it has been modified, then the previous outdated BAA must retained for at least six years, in accordance with the HIPAA retention period.

How should documents be disposed of after the Retention Period expires?

This will depend on how the documents have been stored. If the records are electronic, then the Department for Health and Human Services recommends that the PHI is purged, or that the hardware on which it is stored is pulverized, melted, or incinerated. PHI that is stored physically should be shredded, burned, or otherwise rendered illegible.