What are HIPAA’s Records Retention Requirements?


Many covered entities get confused on the topic of HIPAA medical records retention and other record retention requirements. But the retention requirements of HIPAA are pretty straightforward and will be clarified in this article.

The first thing to know is that there is no HIPAA medical records retention period. The Privacy Rule does not specify the length of time medical records must be retained. It is up to each state to stipulate this requirement regarding the retention of medical records in its laws. So, every Covered Entity and Business Associate is responsible to know the laws of the state regarding the retention period of medical records. In general, the retention periods vary depending on the types of records and who owns them. Here are the medical records retention policies of some states.

Florida – Medical records must be maintained for five years by physicians. Retention period of medical records is seven years for hospitals.

Nevada – Healthcare providers must maintain medical records for at least five years. If the medical records belong to a minor, it must be kept until the patient is 23 years old.

North Carolina – Hospitals keep the medical records for 11 years from the date of the patient’s discharge. Records of minors must be maintained until the patient is 30 years old.

Although HIPAA does not stipulate any retention requirement for medical records, there is a retention period requirement for other HIPAA-related documents. See CFR §164.316(b)(1) which requires Covered Entities to maintain the policies and procedures implemented to comply [with HIPAA] and the records of any action, activity or assessment.

CFR §164.316(b)(2)(i) specifies that certain documents must be retained for at least six years from the time the document was created, or – in case of a policy – from when it was last in effect. Therefore, for a policy that is implemented for 3 years before being revised, there must be a record of the original policy retained for at least 9 years after its creation.

The following is a list of documents subject to the HIPAA retention requirements. A Covered Entity or Business Associate may or may not be required to have or retain copies of them depending on its nature of business:

  • Authorizations for the Disclosure of PHI
  • Business Associate Agreements
  • Complaint and Resolution Documentation
  • Disaster Recovery and Contingency Plans
  • Employee Sanction Policies
  • Incident and Breach Notification Documentation
  • Information Security and Privacy Policies
  • IT Security System Reviews (including new procedures or technologies implemented)
  • Logs Recording Access to and Updating of PHI
  • Notices of Privacy Practices
  • Physical Security Maintenance Records
  • Risk Assessments and Risk Analyses

Aside from what has been mentioned above, here are other record retention requirements:

  • Insurance companies need to know the requirements of FINRA.
  • Employers need to know the record retention requirements of the Employee Retirement Incomes Security Act and Fair Labor Standards Act.
  • The Centers for Medicare & Medicaid Services (CMS) also have retention requirements for healthcare providers. Cost reports must be retained for at least 5 years after the cost report’s closure.
  • Medicare managed care program providers must retain their records for 10 years.
  • For all Covered Entities and Business Associates that have any documentation that may be needed in cases of personal injury or breach of contract disputes, they need to retain the documentation as long as necessary depending on the relevant Statute of Limitations in force in the state in which the entity operates.