HIPAA Retention Requirements Guide
Understanding HIPAA retention requirements for your business is essential for professionals working in the health care space. HIPAA regulation is nuanced and full of privacy and security standards that must be addressed to avoid violations. So the question becomes: how can your organization maintain your HIPAA retention requirements, all while keeping your business running smoothly?
First, we need to take a look at what the HIPAA retention requirements are so you can get a sense for how you can best address them within your business.
HIPAA regulation outlines administrative, technical, and physical safeguards that must be addressed to keep protected health information (PHI) safe. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, email, telephone number, insurance ID number, Social Security number, and any part of their medical record, to name a few.
The HIPAA Privacy Rule states that these administrative, technical, and physical safeguards should be implemented in order to “protect the privacy of Protected Health Information for whatever period such information in maintained.”
Put simply, this HIPAA privacy standard states that any PHI that is maintained must be protected for as long as the entity maintains it. By implementing HIPAA administrative, technical, and physical safeguards to protect PHI, businesses can address their HIPAA retention requirements while preventing large-scale breaches of PHI.
State vs. HIPAA Retention Requirements
Under HIPAA regulation, there is no required retention period for which PHI must be maintained. Instead, each state identifies and enforces its own laws for medical record retention. HIPAA retention requirements only extend to the kinds of protections that must be afforded to PHI, but do not identify the length for which records must be retained.
That means that health care professionals and their vendors are bound to the laws of the state they operate within for medical record retention requirements. These laws vary widely depending on the state, so be sure to research your individual medical record retention requirements.
HIPAA Retention Requirements: Your Compliance Program
As stated above, federal HIPAA regulation does not identify any medical record retention requirements. However, when it comes to documentation that is required by HIPAA, the regulation does outline very particular retention periods that all HIPAA-beholden entities must obey. That includes any documentation that pertains to your business’s actual HIPAA compliance program.
HIPAA regulation states that all documentation of your compliance efforts must be maintained for six years from the date that the document was created or last in effect. This small nuance basically means that if a policy document was created in 2013, but was effective until 2016, it must be retained until 2022. Contrast that with something like a Notice of Privacy Practices implemented in 2013, which must simply be retained until 2019.
There is not a specific list of documents that must be maintained to comply with HIPAA retention requirements in your business, but some common examples include:
- Notices of Privacy Practices
- Risk Assessments
- Internal Audits
- Business Associate Agreements
- Disaster Recovery Plans
- Security Policies and Procedures
- Privacy Policies and Procedures
- Investigation and Tracking of Incidents
This list is by no means exhaustive, but should give your business a sense for the kind of documentation that must be maintained in order to comply with HIPAA retention requirements.
HIPAA Document Retention Made Easy
Compliancy Group’s web-based HIPAA compliance app, The Guard, gives health care professionals and vendors the tools they need to confidently address their HIPAA compliance.
The Guard is our compliance tracking solution that allows you to create a total HIPAA compliance program that addresses the full extent of the regulation. The Guard stores your compliance program and all the necessary documentation to go along with it right in the cloud.
Our document repository stores your HIPAA mandated documentation for the full six years required by HIPAA regulation. You have the ability to edit your documents and upload new versions, keeping logs of your compliance program so you always have the ability to demonstrate your compliance to federal investigators or HIPAA auditors.
