The Health Insurance Portability and Accountability Act (HIPAA) is one of the most important pieces of legislation in the American healthcare industry. Enacted by Congress in 1996 and signed into law by President Bill Clinton, HIPAA was originally designed to address the issue of health insurance coverage for people who were between jobs. Without HIPAA, individuals who found themselves in these circumstances would be left without health insurance, and potentially unable to pay for critical healthcare.
HIPAA’s role stretches well beyond the provision of healthcare for people between jobs. Today, HIPAA is synonymous with data protection laws. Many of its Acts were designed to improve the experience of patients in the healthcare system and introduce a nationwide standard of patient data storage and protection. Existing laws were deemed inadequate to deal with the increasing use of technology in the healthcare industry and the looming threat that hackers pose to personal data. It is now one of the most important data privacy and protection laws in the US.
Many types of businesses in the healthcare industry are required to comply with HIPAA regulations, including healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. These organisations are expected to be familiar with every aspect of HIPAA legislation; the fines for violations are hefty, and ignorance is not deemed an acceptable excuse for a violation.
HIPAA legislation can be complex. One area which causes much confusion are the HIPAA record retention requirements. HIPAA makes a distinction between medical and HIPAA-related non-medical records, which must be treated separately. Here we shall discuss HIPAA’s requirements regarding the retention of each type of record.
Medical Records
HIPAA’s Privacy Rule does not stipulate how long medical records should be retained. Therefore, there is no official HIPAA medical record retention period. Each State has its own laws which cover the retention of medical records, and there is no nationwide standard. There is great variation on what is deemed an acceptable period of time to retain medical records, not only between states, but within states for different types of healthcare providers.
For example, Florida requires physicians to retain medical records after the last patient contact, but hospitals must retain them for seven years. North Carolina requires hospitals to retain a patient’s records for much longer periods of time; eleven years since the patent was discharged, or until the patient is thirty if they were admitted as a minor.
Although HIPAA’s Privacy Rule does not include medical record retention requirements, it does have requirements regarding the manner in which the data is stored. The covered entity is required to apply appropriate administrative, technical, and physical safeguards to protect the medical records for whatever period they are being retained, and ensure that they are disposed of in a secure manner.
Administrative safeguards include policies and procedures designed to manage information access within the organisation and train the workforce in HIPAA compliance. Physical safeguards require the physical protection of data such that it may not be accessed by unauthorised individuals. This may include workstation and device security, and are often the most straightforward-yet effective-security measures. Technical safeguards include controlling access to computer systems and the protection of communications containing PHI which is being transmitted electronically.
Each State may have further requirements regarding the storing of medical records. In general, medical records should be stored in a system which allows for the records to be accessed and retrieved promptly (by individuals authorised to do so) should they ever be needed.
HIPAA-Related Non-Medical Records
Unlike medical records, HIPAA does have requirements about how long HIPAA-related non-medical records should be retained. Section 164.316(b)(1) HIPAA requires that organizations:
“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
According to Section164.316(b)(2)(i), the required documentation must be retained for six years from the date of its creation, or the date when it last was in effect, whichever is later. For example, if a policy is implemented for a year before being revised, a record of the original policy must be retained for at least seven years.
The types of HIPAA-related non-medical documentation covered by these Sections may include, but are not limited to:
- Security risk analyses
- Breach notification documentation
- Employee sanction documentation
- Business associate agreements
- Notices of privacy practices and policies
- Contingency plans for disasters
- Log records for viewing of PHI
- IT system reviews
- Physical security maintenance and update records
For non-medical records, HIPAA preempts State laws if they require shorter retention periods. However, a State may require longer periods of retention; in these cases, the State law must be followed. For organisations that work in multiple states, it is worthwhile checking the laws in each individual state regarding the retention of HIPAA-related non-medical documents.
Summary of HIPAA Retention Requirements
Once one understands the distinction between medical and HIPAA-related non-medical records, the requirements are generally quite straightforward; for medical records, States set the law, but for HIPAA-related non-medical documents, a minimum of six years is required.
However, there are some exceptions. For example, some employers may be required to keep records indefinitely due to the requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. It is worthwhile for organisations to perform a thorough audit of the data which they hold, ranging from patient and employee records to policies and procedure documentation. A thorough understanding of which laws relevant in each case is vital to ensuring full compliance with HIPAA’s record retention policies.
FAQs
What are the HIPAA record retention requirements for healthcare providers?
The HIPAA record retention requirements for healthcare providers establish guidelines for how long they must retain patient health records. Under HIPAA laws, healthcare providers are generally required to retain medical records for a minimum of six years from the date of their creation or the date when they were last in effect, whichever is later. However, it is important to note that some states may have longer retention periods, so providers should comply with the requirements that are most stringent. The purpose of these requirements is to ensure that patient health information is available for reference, continuity of care, and compliance with legal and regulatory obligations. Retaining records for the specified period allows for the review of past treatments, facilitates proper billing and reimbursement, supports research and audits, and enables the patient’s right to access their medical information. By adhering to HIPAA record retention requirements, healthcare providers can protect patient privacy and maintain the integrity of health records.
Are there specific guidelines for the retention of electronic health records (EHRs) under HIPAA laws?
Yes, there are specific guidelines for the retention of electronic health records (EHRs) under HIPAA laws. The retention requirements for EHRs are generally the same as those for paper medical records. Healthcare providers must retain electronic health records for a minimum of six years from the date of their creation or the date when they were last in effect, whichever is later. However, it is important to note that EHRs may require additional safeguards to ensure their integrity, availability, and protection against unauthorized access or loss. Providers should implement appropriate technical and administrative measures, such as regular backups, data encryption, access controls, and disaster recovery plans, to safeguard the electronic health records throughout the retention period. By adhering to these guidelines, healthcare providers can ensure the long-term availability and security of electronic health records, contributing to the continuity of care and protection of patient information.
Are there any exceptions or circumstances that may require healthcare providers to retain records for longer than the minimum HIPAA requirement?
Yes, there are exceptions and circumstances that may require healthcare providers to retain records for longer than the minimum HIPAA requirement. While HIPAA sets a minimum retention period of six years, there are situations where providers may need to retain records for an extended period. Some states have laws that mandate longer retention periods, and healthcare providers must comply with the more stringent requirement. Additionally, certain legal and regulatory requirements, such as those related to Medicare and Medicaid claims, may necessitate retaining records for a longer duration. Moreover, healthcare providers should consider any applicable statutes of limitations for medical malpractice or personal injury claims, which may require retaining records for an extended period beyond the HIPAA requirement. It is crucial for providers to stay informed about state laws and consult legal counsel to ensure compliance with all applicable record retention requirements.
What steps can healthcare providers take to ensure compliance with HIPAA record retention requirements?
Healthcare providers can take several steps to ensure compliance with HIPAA record retention requirements. Firstly, providers should establish clear policies and procedures regarding record retention that align with HIPAA laws and any applicable state regulations. These policies should outline the retention periods for different types of records and specify the steps involved in securely storing, maintaining, and eventually disposing of records when they are no longer required. Secondly, healthcare providers should train their staff on the record retention policies and educate them on the importance of proper record management, including the protection of patient privacy and the secure handling of records. Regular training sessions can reinforce compliance and help prevent inadvertent record retention violations. Thirdly, providers should implement robust electronic health record (EHR) systems or other record management systems that facilitate the organization, storage, and retrieval of records. These systems should have appropriate security measures to protect the confidentiality and integrity of the records throughout the retention period. Lastly, it is crucial for healthcare providers to regularly review and update their record retention policies to reflect any changes in HIPAA laws or state regulations. By following these steps, healthcare providers can ensure compliance with HIPAA record retention requirements and maintain the privacy and security of patient health records.
Can healthcare providers store patient records in electronic format to meet HIPAA record retention requirements?
Yes, healthcare providers can store patient records in electronic format to meet HIPAA record retention requirements. HIPAA laws recognize electronic health records (EHRs) as valid and enforceable documents. Providers must ensure that their electronic storage systems are secure, accessible, and capable of maintaining the integrity and confidentiality of the records throughout the required retention period. The Office for Civil Rights (OCR), the entity responsible for enforcing HIPAA, provides guidance on the technical safeguards and security measures that should be implemented to protect electronic health records from unauthorized access, modification, or destruction. Healthcare providers should implement measures such as access controls, encryption, audit logs, regular data backups, and disaster recovery plans to safeguard electronic health records. By adopting appropriate technology and security measures, healthcare providers can effectively store patient records in electronic format, ensuring compliance with HIPAA record retention requirements while maintaining the privacy and security of patient health information.
Are there any specific guidelines for the disposal of patient records once they are no longer required to be retained under HIPAA laws?
Yes, there are specific guidelines for the disposal of patient records once they are no longer required to be retained under HIPAA laws. When healthcare providers decide to dispose of patient records, whether in paper or electronic format, they must take appropriate measures to protect the privacy and confidentiality of the information. HIPAA laws require providers to implement safeguards to prevent unauthorized access, use, or disclosure of patient records during and after their disposal. For paper records, secure shredding or destruction methods should be employed to render the information unreadable and irretrievable. When disposing of electronic health records (EHRs), providers should ensure that all data is permanently deleted or securely erased from storage devices to prevent any potential recovery. Providers should also consider any state-specific regulations or guidelines that may provide additional requirements for the disposal of patient records. By following these guidelines, healthcare providers can mitigate the risk of data breaches, protect patient privacy, and comply with HIPAA laws during the disposal process.
Can healthcare providers face penalties for non-compliance with HIPAA record retention requirements?
Yes, healthcare providers can face penalties for non-compliance with HIPAA record retention requirements. The Office for Civil Rights (OCR) is responsible for enforcing HIPAA laws, including the record retention requirements. If a provider fails to retain records for the required period or improperly disposes of patient records, they may be subject to investigations, audits, and potential penalties. The penalties for non-compliance can vary depending on the nature and extent of the violation, ranging from monetary fines to corrective action plans or even criminal charges in cases of deliberate or willful neglect. The OCR may impose civil monetary penalties that can range from $100 to $50,000 per violation, with an annual maximum penalty of $1.5 million for each violation category. The severity of penalties can increase based on factors such as the number of records involved, the harm caused to individuals, the provider’s level of negligence, and their history of compliance. It is crucial for healthcare providers to adhere to HIPAA record retention requirements to avoid penalties, protect patient information, and maintain compliance with the law.
Can healthcare providers rely on third-party vendors or cloud storage for HIPAA-compliant record retention?
Yes, healthcare providers can rely on third-party vendors or cloud storage for HIPAA-compliant record retention, but they must ensure that these vendors or services meet the necessary security and privacy requirements. HIPAA laws place the responsibility for safeguarding patient health information on the covered entities, such as healthcare providers, even if they engage third-party vendors. When selecting a vendor or cloud storage provider, healthcare providers should conduct thorough due diligence to ensure that they have implemented appropriate technical, physical, and administrative safeguards to protect patient records. The vendor or cloud storage service should be willing to enter into a Business Associate Agreement (BAA) with the healthcare provider, outlining their responsibilities and obligations regarding the security and privacy of the records. It is crucial for healthcare providers to conduct risk assessments, review vendor contracts, and periodically assess the vendor’s compliance with HIPAA laws. By choosing a reputable and compliant vendor, healthcare providers can leverage third-party services for record retention while maintaining the privacy and security of patient health information.