HIPAA Data Retention Requirements

The HIPAA data retention requirements apply to both covered entities and business associates. HIPAA data retention requirements mandate that covered entities and business associates maintain certain documentation for a specified time frame. If the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) audits a covered entity or business associate, OCR may demand production of these records for inspection.

What Documents are Subject to HIPAA Data Retention Requirements?

Under the HIPAA regulations, covered entities must retain the following, for at least six years, from either the date of creation, or the last “effective date,” whichever date is later

  • A written or electronic record of a designation of an organization as a covered entity or business associate
  • Information security and privacy policies and procedures implemented to comply with HIPAA.
  • All documented assessments required by HIPAA.
  • All data use agreements and other forms supporting HIPAA compliance. 
    • A data use agreement (DUA) is an agreement governed by the HIPAA Privacy Rule. The agreement is entered into between a covered entity and a researcher. Under the data use agreement, the covered entity may disclose a limited data set to the researcher for research, public health, or healthcare operations.
      • Under the HIPAA Privacy Rule, a limited data set is a set of identifiable healthcare information that covered entities are permitted to share with certain entities for research purposes, public health activities, and healthcare operations, without obtaining prior patient written authorization. 
      • A limited data set excludes specified direct identifiers (pieces of information that directly identify research subjects) of the individual or of relatives, employers, or household members of the individual. 
  • All signed authorizations and, where applicable, written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgments.
  • The Notice of Privacy Practices.
  • Designated record sets that are subject to access by individuals. 
    • A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:
      • Medical records and billing records about individuals maintained by or for a covered healthcare provider;
      • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
      • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
  • Documentation of the titles of the persons or offices responsible for HIPAA compliance. Such documentation must include documentation of titles and offices of persons that comprise the organization’s Privacy Officer and Security Officer, who generally have overall responsibility for compliance. Documentation of titles of persons and offices  responsible for receiving and processing requests for amendments to medical records by individuals, and those persons and offices responsible for receiving and processing requests for an accounting by individuals, must also be maintained.
  • Accounting of disclosures of protected health information (PHI).

In addition, covered entities should be familiar with applicable data retention requirements imposed either by state law, or federal laws other than HIPAA. Such laws may require that covered entities retain documents in addition to those covered entities are required to retain under HIPAA.