The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. The Act does so through regulations issued by the Department of Health and Human Services (HHS). These regulations can be classed into four rules: The HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.
These rules set forth national standards – that is, the entities to whom the rules apply (which entities include covered entities and business associates), include entities across the nation. The practice of medicine itself, is generally regulated not by HIPAA, but by the various states. State law, not HIPAA, dictates how long a doctor’s office must retain medical records. State law medical retention requirements are set forth below.
What are State Law Medical Record Retention Requirements?
The HIPAA Privacy Rule requires covered entities to implement safeguards to prevent unauthorized use or disclosure of protected health information (PHI). The HIPAA Security Rule requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI (i.e., PHI in electronic form).
These rules, however, are silent on the issue of medical record retention requirements. Indeed, there is no HIPAA medical records retention period – that is, no period of time for which a healthcare provider must retain a patient’s medical records before the records can be disposed of, or destroyed.
Rather, state laws and regulations set forth the amount of time a covered entity (i.e., healthcare provider) must maintain patient medical records.
Regarding the medical records retention policy, state law medical record retention requirements vary by state; some states require medical records to be retained for a longer amount of time than other states do.
For example, the state of New York requires physicians and hospitals to maintain patient records for at least six years from the date of the patient’s last visit. In contrast, the state of Georgia requires physicians to retain a patient’s medical records for at least 10 years from the date of the patient’s last office visit.
States may impose record retention requirements on organizations other than medical offices and hospitals, since medical record laws by state vary. For example, the state of South Dakota requires hospice facilities to maintain records for six years following a patient’s visit date. For example, in regards to medical records archiving, the state of South Dakota requires hospice facilities to maintain records for six years following a patient’s visit date.
In addition, some states, in imposing state law medical retention records on doctor’s offices and hospitals, distinguish between minor patients and adult patients. For example, the state of Washington requires hospitals to preserve and maintain medical records of adult patients for a period of no less than ten years following the most recent discharge of the patient. However, Washington law imposes a different requirement for minors: the hospital records of minors must be retained for a period of no less than three years following attainment of the age of eighteen years, or ten years following the most recent discharge, whichever is longer.