Memo: HIPAA log retention requirements

The subtle distinction between HIPAA medical records retention and HIPAA record retention can cause confusion when discussing HIPAA retention requirements.

There is No HIPAA Medical Records Retention Period

The reason the Privacy Rule does not stipulate how long medical records should be retained is because there is no HIPAA medical records retention period. Each state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance, Portability and Accountability Act – HIPAA does not pre-empt them.

Consequently, each Covered Entity and Business Associate is bound by the laws of the state with regard to how long medical records have to be retained rather than any specific HIPAA medical records retention period. The states´ retention periods can vary considerably depending on the nature of the records and to whom they belong. For example:

  • In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must maintain them for seven years.
  • In Nevada, healthcare providers are required to maintain medical records for a minimum of five years, or – in the case of a minor – until the patient is twenty-three years of age.
  • In North Carolina, hospitals must maintain patients´ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient is thirty.

The HIPAA Retention Requirements

Although there are no HIPAA retention requirements for medical records, there is a requirement about how long other HIPAA-related documents should be retained. This is covered in CFR §164.316(b)(1), which states Covered Entities must maintain the policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment.

CFR §164.316(b)(2)(i) stipulates the documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. Therefore if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation.

The list of documents subject to the HIPAA retention requirements is extensive depending on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most common type of documents but, for example, health plans and healthcare clearing houses do not issue Notices of Privacy Practices, so would not be required to retain copies of them:

  • Notices of Privacy Practices.
  • Authorizations for the Disclosure of PHI.
  • Risk Assessments and Risk Analyses.
  • Disaster Recovery and Contingency Plans.
  • Business Associate Agreements.
  • Information Security and Privacy Policies.
  • Employee Sanction Policies.
  • Incident and Breach Notification Documentation.
  • Complaint and Resolution Documentation.
  • Physical Security Maintenance Records.
  • Logs Recording Access to and Updating of PHI.
  • IT Security System Reviews (including new procedures or technologies implemented).

Contains information obtained from HIPAA Journal.

“Clarifying the HIPAA Retention Requirements”. HIPAA Journal. Retrieved September 3, 2018.

Published by Patrick Brenner, Analyst

Patrick Brenner: Privacy and Security Analyst Patrick was catapulted into protecting doctors, the privacy of patient data, and the protection of patients' civil rights. His knowledge of HIPAA and deep understanding of cybersecurity as it pertains to healthcare combined with his expertise in implementing NIST guidelines has primed him for helping healthcare practices in positioning themselves with better HIPAA compliance. Patrick invented the Aligned Risk Management risk assessment process in close collaboration with numerous clients and colleagues seeking a modern and innovative HIPAA compliance solution. He designed the Aligned Risk Management Information System (ARMIS) and continues to oversee its development.