Over the years, we have been asked by a number of our clients as well as prospective clients about HIPAA record retention.
Questions we hear often are:
- Are there HIPAA log retention requirements?
- What are HIPAA logging requirements?
- What are HIPAA backup retention requirements?
- What are HIPAA audit trail requirements?
- Do we need to retain ePHI for 6 years to meet HIPAA record retention requirements?
So what does HIPAA require with regard to retaining electronic protected health information (ePHI)? Unfortunately, the US Department of Health and Human Services (HHS) does not have very clear guidance on record retention.
The HHS website states, “The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).”
States have differing ePHI record retention requirements for Covered Entities, and by association, Business Associates of Covered Entities. These retention requirements must be complied with even when a Covered Entity or a Business Associate goes out of business. Patients may need access to their health records years after a treatment occurred. If a Covered Entity has gone out of business since the treatment occurred and the patient cannot gain access to their treatment information, it could have a negative impact on the patient.
Research your particular state’s requirements and be sure that your organization is retaining ePHI and PHI according to your state’s requirements.
Where Does the Six Year HIPAA Record Retention Guideline Come From?
Most companies and organizations realize that ePHI should be retained for some period of time.
Section 164.316(b)(1) HIPAA requires that organizations:
“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
Section 164.316(b)(2)(i) also says:
“Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”
To ensure that your organization remains in compliance with HIPAA, we recommend retaining ePHI in accordance with the six year retention rule outlined above. Also, see this HHS whitepaper describing HIPAA record retention requirements.
What Type of Data Should We Retain?
What, exactly, are the actions, activities, or assessments HIPAA is speaking of that need to be documented and retained? The documentation we believe to be subject to the six year record retention requirement includes the following records, among potential others:
- Policies and procedures in effect during the retention period
- Security risk analyses
- Incident documentation for any privacy and security incidents that occur
- Breach notification documentation for any breaches that occur
- Employee sanction documentation
- Complaint and resolution documentation
- Regulatory compliance correspondence and assessment reports
- Business associate agreements with service providers and contractors
- Physical security maintenance records
- Information systems activity reviews, decisions made, and investigations conducted
- Log records pertaining to views and updates of ePHI
- Contingency plans in effect during the retention period
- Contingency plan tests
- Records of the movements of hardware and electronic media used to store ePHI, including the receipt of any new hardware or electronic media storing ePHI. This record should contain, at a minimum, the name of the person responsible for the item, the location of the item, and any movement of the item.
Do We Need to Retain ALL of our ePHI Data?
We realize that retaining all of your organization’s ePHI for six years or more may be costly. Since HIPAA does not provide crystal clear guidance with regard to HIPAA record retention, we usually recommend that organizations wishing to archive or delete ePHI do so with a thoughtful risk based approach.
For example, an organization may choose to delete certain less important ePHI and retain only key ePHI related to patient treatments and logs of who accessed ePHI and when. If your organization is struggling with which ePHI to retain, we recommend assessing data retention in your risk assessment process and evaluating the risks related to archiving certain data. If your risk assessment supports archiving certain ePHI and retaining other ePHI, we recommend archiving the less important data and retaining a record of the applicable risk assessment. If you would like to discuss HIPAA audits and compliance further, please see our HIPAA audits page.
Summary of HIPAA Record Retention Requirements
In summary, HHS does not provide specific HIPAA record retention requirements for ePHI, however, HHS does provide guidance within Section 164.316(b)(2)(i) that requires that HIPAA related policies and procedures should be retained for six years. HHS recommends six years as a minimum guideline for HIPAA record retention in the absence of more specific guidance.
Other HIPAA Related Blog Posts
See the following past HIPAA related posts on the Linfordco blog:
- HIPAA Wall of Shame
- Understanding HIPAA Security Rule Required vs. Addressable Implementation Specifications
- Importance of HIPAA Business Associate Agreements
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.