The subtle differences between HIPAA medical records retention and HIPAA record retention lead to some confusion when discussing HIPAA retention requirements. This article seeks to clarify what records need to be retained under HIPAA, and what other retention requirements Covered Entities should think about using.
The HIPAA retention requirements are actually quite simple. What can create confusion for some Covered Entities and Business Associates is the stipulation within the Privacy Rule that appropriate administrative, technical and physical safeguards must put in place to “protect the privacy of Protected Health Information for whatever period such information is maintained”.
HIPAA Medical Records Retention Period is Not in Existence
The reason the Privacy Rule does not state how long medical records should be retained is because there is no HIPAA medical records retention period. Every state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance, Portability and Accountability Act – HIPAA does not direct them.
Due to this, each Covered Entity and Business Associate is subject to the laws of the state with regard to how long medical records have to be retained rather than any specific HIPAA medical records retention period. The States’ retention periods can range considerably depending on the nature of the records and to whom they belong
So what are the HIPAA Retention Requirements?
Although there are no HIPAA retention requirements for medical histories, there is a stated requirement about how long other HIPAA-related documents should be retained. This is covered in CFR §164.316(b)(1), which states Covered Entities must keep the policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment.
CFR §164.316(b)(2)(i) states that the documents must be retained for at least six years from when the document was created, or – in the event of a policy – from when it was last in effect. Therefore if a policy is put in place for three years before being revised, a record of the original policy must be kept for a minimum of nine years after its creation.
The list of documents subject to the HIPAA retention requirements is wide ranging depending on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most typical documents but, for example, health plans and healthcare clearinghouses do not issue Notices of Privacy Practices, so would not be required to keep copies of them:
- Privacy Practice Notices
- Permissions for the Disclosure of PHI.
- Risk Assessments and Risk Analysis Studies
- Plans for Disaster Recovery and Contingency Plans.
- Copies of Business Associate Agreements.
- Details of Information Security and Privacy Policies.
- Policies for Employee Sanction.
- Documents on Incident and Breach Notification.
- Information on Complaint and Resolution.
- Records of Physical Security Maintenance.
- Details of Access to and Updating of PHI.
- Audits of IT Security Systems (including new procedures or technologies implemented).
HIPAA Record Retention: Other Important Points
It was referred to above the HIPAA retention requirements are actually quite straightforward and, when contrasted with some other regulatory requirements, that is certainly true. Along with HIPAA record retention, insurance companies may be subject to the complexities of FINRA while employers may have to adhere with the record retention requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. In some instances, this can mean retaining records indefinitely.
The Centers for Medicare & Medicaid Services (CMS) states that records of healthcare providers filing cost reports to be retained for a period of at least five years after the closure of the cost report, and that Medicare managed care program providers manage their records for ten years. Although much of the documentation supporting CMS cost reports will be the same as required for HIPAA record retention reasons, the two sets of records must be kept apart for retrieval purposes.
For all Covered Entities and Business Associates, it is advisable that any documentation that may be required in a personal injury or breach of contract dispute is kept for as long as necessary. “As long as necessary” will depend on the relevant Statute of Limitations in force in the state in which the entity is in business. In many instances, the Statutes of Limitation are longer than any HIPAA record retention periods.