Memo: HIPAA log retention requirements

The subtle distinction between HIPAA medical records retention and HIPAA record retention can cause confusion when discussing HIPAA retention requirements.

There is No HIPAA Medical Records Retention Period

The reason the Privacy Rule does not stipulate how long medical records should be retained is because there is no HIPAA medical records retention period. Each state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance, Portability and Accountability Act – HIPAA does not pre-empt them.

Consequently, each Covered Entity and Business Associate is bound by the laws of the state with regard to how long medical records have to be retained rather than any specific HIPAA medical records retention period. The states´ retention periods can vary considerably depending on the nature of the records and to whom they belong. For example:

  • In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must maintain them for seven years.
  • In Nevada, healthcare providers are required to maintain medical records for a minimum of five years, or – in the case of a minor – until the patient is twenty-three years of age.
  • In North Carolina, hospitals must maintain patients´ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient is thirty.

The HIPAA Retention Requirements

Although there are no HIPAA retention requirements for medical records, there is a requirement about how long other HIPAA-related documents should be retained. This is covered in CFR §164.316(b)(1), which states Covered Entities must maintain the policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment.

CFR §164.316(b)(2)(i) stipulates the documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. Therefore if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation.

The list of documents subject to the HIPAA retention requirements is extensive depending on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most common type of documents but, for example, health plans and healthcare clearing houses do not issue Notices of Privacy Practices, so would not be required to retain copies of them:

  • Notices of Privacy Practices.
  • Authorizations for the Disclosure of PHI.
  • Risk Assessments and Risk Analyses.
  • Disaster Recovery and Contingency Plans.
  • Business Associate Agreements.
  • Information Security and Privacy Policies.
  • Employee Sanction Policies.
  • Incident and Breach Notification Documentation.
  • Complaint and Resolution Documentation.
  • Physical Security Maintenance Records.
  • Logs Recording Access to and Updating of PHI.
  • IT Security System Reviews (including new procedures or technologies implemented).

Contains information obtained from HIPAA Journal.

“Clarifying the HIPAA Retention Requirements”. HIPAA Journal. Retrieved September 3, 2018.

HIPAA Security Rule Standards and Implementation Specifications

HIPAA is a set of standards introduced by the U.S. Congress in 1996. The Act consists of rules governing protected health information (PHI) including Security, Privacy, Identifiers, and Transactions and Code Sets. The purpose of the HIPAA Security Rule is to promote the protection and privacy of sensitive PHI used within the healthcare industry by organizations called “covered entities.” As a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, both covered entities and business associates are now accountable to the United States Department of Health and Human Services (HHS) and individuals for appropriately safeguarding private patient information.

The HIPAA Security Rule Standards and Implementation Specifications has four major sections, created to identify relevant security safeguards that help achieve compliance: 1) Physical; 2) Administrative; 3) Technical; and 4) Policies, Procedures and Documentation Requirements.

Organizations must implement reasonable and appropriate solutions and management policies and procedures to comply with HIPAA technical standards and implementation specifications. It’s important to perform a formal security risk assessment for each of the safeguards in the HIPAA Security Rule. Management’s decisions related to risk aversion and tolerance must be documented in the security risk assessment to identify potential compliance gaps. For many organizations, it is difficult to determine how the Rule applies. Navigating the type of technologies and processes that are needed to achieve compliance can be challenging.

Under the HIPAA Security Rule, implementation of standards is required, and implementation specifications are categorized as either “required” (R) or “addressable” (A). For required specifications, covered entities must implement the specifications as defined in the Security Rule. For addressable specifications, a covered entity must assess whether the implementation of the specification is reasonable and appropriate for its environment and the extent to which it is appropriate to protect ePHI. Following the security risk assessment, the covered entity must either implement the addressable specification, or document why it would not be reasonable and appropriate to implement and identify alternative and/or compensating safeguards as reasonable and appropriate.

Administrative Safeguards

  • 164.308(a)(1)(ii)(A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
  • 164.308(a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
  • 164.308(a)(1)(ii)(C) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
  • 164.308(a)(1)(ii)(D) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • 164.308(a)(2) Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.
  • 164.308(a)(3)(ii)(A) Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
  • 164.308(a)(3)(ii)(B) Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
  • 164.308(a)(3)(ii)(C) Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.
  • 164.308(a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
  • 164.308(a)(4)(ii)(B) Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
  • 164.308(a)(4)(ii)(C) Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
  • 164.308(a)(5)(ii)(A) Periodic security updates.
  • 164.308(a)(5)(ii)(B) Procedures for guarding against, detecting, and reporting malicious software.
  • 164.308(a)(5)(ii)(C) Procedures for monitoring log-in attempts and reporting discrepancies.
  • 164.308(a)(5)(ii)(D) Procedures for creating, changing, and safeguarding passwords.
  • 164.308(a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
  • 164.308(a)(7)(ii)(A) Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
  • 164.308(a)(7)(ii)(B) Establish (and implement as needed) procedures to restore any loss of data.
  • 164.308(a)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
  • 164.308(a)(7)(ii)(D) Implement procedures for periodic testing and revision of contingency plans.
  • 164.308(a)(7)(ii)(E) Assess the relative criticality of specific applications and data in support of other contingency plan components.
  • 164.308(a)(8) Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].
  • 164.308(b)(4) Document the satisfactory assurances required by paragraph (b)(1) [the Business Associate Contracts and Other Arrangements] of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a) [the Organizational Requirements].

Organizational Requirements

  • 164.314(a)(2)(i) Business associate contract must meet certain requirements.
  • 164.314(a)(2)(ii) Applies to government organizations only.
  • 164.314(b)(1) n/a
  • 164.316(a) Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change
  • 164.316(b)(1)(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
  • 164.316(b)(2)(i) Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
  • 164.316(b)(2)(ii) Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
  • 164.316(b)(2)(iii) Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

Physical Safeguards

  • 164.310(a)(2)(i) Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  • 164.310(a)(2)(ii) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  • 164.310(a)(2)(iii) Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  • 164.310(a)(2)(iv) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).
  • 164.310(b) Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
  • 164.310(c) Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
  • 164.310(d)(2)(i) Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
  • 164.310(d)(2)(ii) Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
  • 164.310(d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
  • 164.310(d)(2)(iv) Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Technical Safeguards

  • 164.312(a)(2)(i) Assign a unique name and/or number for identifying and tracking user identity.
  • 164.312(a)(2)(ii) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
  • 164.312(a)(2)(iii) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information.
  • 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  • 164.312(c)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
  • 164.312(d) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
  • 164.312(e)(2)(i) Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
  • 164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.