Enterprise IT security news and advice

HIPAA Record Retention Requirements

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most important pieces of legislation in the American healthcare industry. Enacted by Congress in 1996 and signed into law by President Bill Clinton, HIPAA was originally designed to address the issue of health insurance coverage for people who were between jobs. Without HIPAA, individuals who found themselves in these circumstances would be left without health insurance, and potentially unable to pay for critical healthcare.

HIPAA’s role stretches well beyond the provision of healthcare for people between jobs. Today, HIPAA is synonymous with data protection laws. Many of its Acts were designed to improve the experience of patients in the healthcare system and introduce a nationwide standard of patient data storage and protection. Existing laws were deemed inadequate to deal with the increasing use of technology in the healthcare industry and the looming threat that hackers pose to personal data. It is now one of the most important data privacy and protection laws in the US.

Many types of businesses in the healthcare industry are required to comply with HIPAA regulations, including healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. These organisations are expected to be familiar with every aspect of HIPAA legislation; the fines for violations are hefty, and ignorance is not deemed an acceptable excuse for a violation.

HIPAA legislation can be complex. One area which causes much confusion are the HIPAA record retention requirements. HIPAA makes a distinction between medical and HIPAA-related non-medical records, which must be treated separately. Here we shall discuss HIPAA’s requirements regarding the retention of each type of record.

Medical Records

HIPAA’s Privacy Rule does not stipulate how long medical records should be retained. Therefore, there is no official HIPAA medical record retention period. Each State has its own laws which cover the retention of medical records, and there is no nationwide standard. There is great variation on what is deemed an acceptable period of time to retain medical records, not only between states, but within states for different types of healthcare providers.

For example, Florida requires physicians to retain medical records after the last patient contact, but hospitals must retain them for seven years. North Carolina requires hospitals to retain a patient’s records for much longer periods of time; eleven years since the patent was discharged, or until the patient is thirty if they were admitted as a minor.

Although HIPAA’s Privacy Rule does not include medical record retention requirements, it does have requirements regarding the manner in which the data is stored. The covered entity is required to apply appropriate administrative, technical, and physical safeguards to protect the medical records for whatever period they are being retained, and ensure that they are disposed of in a secure manner.

Administrative safeguards include policies and procedures designed to manage information access within the organisation and train the workforce in HIPAA compliance. Physical safeguards require the physical protection of data such that it may not be accessed by unauthorised individuals. This may include workstation and device security, and are often the most straightforward-yet effective-security measures. Technical safeguards include controlling access to computer systems and the protection of communications containing PHI which is being transmitted electronically.

Each State may have further requirements regarding the storing of medical records. In general, medical records should be stored in a system which allows for the records to be accessed and retrieved promptly (by individuals authorised to do so) should they ever be needed.

HIPAA-Related Non-Medical Records

Unlike medical records, HIPAA does have requirements about how long HIPAA-related non-medical records should be retained. Section 164.316(b)(1) HIPAA requires that organizations:

“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

According to Section164.316(b)(2)(i), the required documentation must be retained for six years from the date of its creation, or the date when it last was in effect, whichever is later. For example, if a policy is implemented for a year before being revised, a record of the original policy must be retained for at least seven years.

The types of HIPAA-related non-medical documentation covered by these Sections may include, but are not limited to:

  • Security risk analyses
  • Breach notification documentation
  • Employee sanction documentation
  • Business associate agreements
  • Notices of privacy practices and policies
  • Contingency plans for disasters
  • Log records for viewing of PHI
  • IT system reviews
  • Physical security maintenance and update records

For non-medical records, HIPAA preempts State laws if they require shorter retention periods. However, a State may require longer periods of retention; in these cases, the State law must be followed. For organisations that work in multiple states, it is worthwhile checking the laws in each individual state regarding the retention of HIPAA-related non-medical documents.

Summary of HIPAA Retention Requirements

Once one understands the distinction between medical and HIPAA-related non-medical records, the requirements are generally quite straightforward; for medical records, States set the law, but for HIPAA-related non-medical documents, a minimum of six years is required.

However, there are some exceptions. For example, some employers may be required to keep records indefinitely due to the requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. It is worthwhile for organisations to perform a thorough audit of the data which they hold, ranging from patient and employee records to policies and procedure documentation. A thorough understanding of which laws relevant in each case is vital to ensuring full compliance with HIPAA’s record retention policies.