The subtle distinction between HIPAA medical records retention and HIPAA record retention can cause confusion when discussing HIPAA retention requirements. This article aims to clarify what records need to be retained under HIPAA, and what other retention requirements Covered Entities should consider.
The HIPAA retention requirements are actually quite straightforward. What can cause confusion for some Covered Entities and Business Associates is the stipulation within the Privacy Rule that appropriate administrative, technical and physical safeguards must implemented to “protect the privacy of Protected Health Information for whatever period such information is maintained”.
There is No HIPAA Medical Records Retention Period
The reason the Privacy Rule does not stipulate how long medical records should be retained is because there is no HIPAA medical records retention period. Each state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance, Portability and Accountability Act – HIPAA does not pre-empt them.
Consequently, each Covered Entity and Business Associate is bound by the laws of states with regard to how long medical records have to be retained rather than any specific HIPAA medical records retention period. The states’ retention periods can vary considerably depending on the nature of the records and to whom they belong. For example:
- In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must maintain them for seven years.
- In Nevada, healthcare providers are required to maintain medical records for a minimum of five years, or – in the case of a minor – until the patient has reached twenty-three years of age.
- In North Carolina, hospitals must maintain patients’ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient has reached thirty years of age.
In that Case, what are the HIPAA Retention Requirements?
Although there are no HIPAA retention requirements for medical records, there is a requirement covering how long HIPAA-related documents should be retained. This is covered in CFR §164.316(b)(1) and (2), which states Covered Entities must maintain the policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment.
CFR §164.316(b)(2)(i) stipulates the documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. Therefore if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation. HIPAA requirements preempt state laws if they require shorter
periods of document retention.
The list of documents subject to the HIPAA retention requirements, and depends on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most common types of documents but, for example, health plans and healthcare clearinghouses do not issue Notices of Privacy Practices, so would not be required to retain copies of them:
- Notices of Privacy Practices.
- Authorizations for the Disclosure of PHI.
- Risk Assessments and Risk Analyses.
- Disaster Recovery and Contingency Plans.
- Business Associate Agreements.
- Information Security and Privacy Policies.
- Employee Sanction Policies.
- Incident and Breach Notification Documentation.
- Complaint and Resolution Documentation.
- Physical Security Maintenance Records.
- Logs Recording Access to and Updating of PHI.
- IT Security System Reviews (including new procedures or technologies implemented).
What Else to Consider in Addition to HIPAA Record Retention
It was mentioned above the HIPAA retention requirements are actually quite straightforward and, when compared with some other regulatory requirements, that is certainly the case. In addition to HIPAA record retention, insurance companies may be subject to the complexities of FINRA while employers may have to comply with the record retention requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. In some cases, this can mean retaining records indefinitely.
The Centers for Medicare & Medicaid Services (CMS) requires records of healthcare providers submitting cost reports to be retained for a period of at least five years after the closure of the cost report, and that Medicare managed care program providers retain their records for ten years. Providers and suppliers need to maintain medical records for each Medicare beneficiary that is their patient. Although much of the documentation supporting CMS cost reports will be the same as those required for HIPAA record retention purposes, the two sets of records must be kept separate for retrieval purposes.
For all Covered Entities and Business Associates, it is recommended any documentation that may be required in a personal injury or breach of contract dispute is retained for as long as necessary. “As long as necessary” will depend on the relevant Statute of Limitations in force in the state in which the entity operates. In many cases, the Statutes of Limitation are longer than any HIPAA record retention periods.
When the retention periods for medical records and HIPAA documentation has been reached, HIPAA requires physical and electronic forms of PHI to be disposed of securely to prevent impermissible disclosures of PHI. See 45 CFR § 164.310(d)(2)(i-iv).