How long do you need to retain medical records under HIPAA? HIPAA defines what data needs to be kept but it is not the data that most people think of when they think about HIPAA.
In this article we detail what HIPAA requires in terms of retaining medical records. We also cover the medical record retention requirements for every state in the United States.
HIPAA security rule CFR § 164.316 mandates that covered entities and business associates keep records of policies and procedures that are meant to maintain compliance. They must also document actions or activities that could affect the security of PHI.
Organizations must maintain these records for at least 6 years from the date of creation or 6 years after the “last effective date”, whichever is later. The “last effective date” is the last day the policies, procedures, or systems are still in use.
Here is a list of what information organizations must retain.
- Notice of Privacy Policies
- Employee training policies
- Include sanctions for violating policies
- Business Associate Agreements
- Information security policies
- Risk assessments and recommendations
- Data recovery plans
- Privacy policies
- Authorizations to disclose PHI
- Breach notification policies
- PHI access logs
- PHI modification logs
- Network firewall and other security control logs
- Changes to security systems
- Physical security records
- Information contained in the designated record set
- This is expanded on below
If your company is undergoing an audit, it’s extremely important to have the documentation listed to protect your organization. Make sure that these records are stored in a secure location. Some form of virtual storage, such as Google Drive or Dropbox, is a good choice as the data is typically small and the associated costs low.
Contrary to popular belief, HIPAA does not have requirements for covered entities or business associates to retain medical records. However, HIPAA mandates that patients have access to the information inside their ‘designated record set’ for 6 years after their last effective date. The designated record set is information that is meant to help clinicians make healthcare decisions for their patients. This includes admission records, billing documents, test results, and official recommendations from doctors. It does not include things such as quality assessments, internal system logs, or any other record that is not used to make health decisions for the patient. In most circ*mstances, these records are maintained for patient care and for medical legal reason.
Patients have the right to access and correct information contained in their designated medical record. Companies have 30 days to provide patients with the information they requested or risk facing penalties for noncompliance. Make sure your company keeps information that falls into patients’ designated record sets secure, yet accessible for compliance purposes.
Many states have passed laws that require covered entities and business associates to keep medical records. Here is the full list of the different lengths of times medical records must be preserved.
Now that you are aware of how long covered entities and business associates must retain medical records, the next step is learning best practices for disposing of PHI. It is important to make sure that any records you dispose of are destroyed to the point where no one can recreate the information contained in the record.
For paper records shredding is the best way to dispose of records containing PHI. If possible, avoid throwing away shredded records in publicly accessible dumpsters.
For digital records, make sure to properly wipe any hard drives containing PHI. Have your security team verify PHI can not be retrieved from the hard drives. If necessary consider physically destroying hard drives that contain medical records using magnets. If digital records are stored on the cloud, work with your cloud service provider to ensure that deleted records are inaccessible. One technique often employed is to delete and then write new data onto the drive that contained medical records.
Proper disposal of medical records is crucial to ensuring no one can access PHI without authorization.
The key takeaway from all this is that HIPAA does not require you to retain medical records, or PHI, for any specific length of time. HIPAA does require storage of compliance related records and of specific records that are a part of the patient document set.
In addition, states have laws in place that require you to retain medical records for specific lengths of time. In practice, most covered entities store records for extended periods of time for medical-legal purposes, not simply to meet state requirements.
Business associates, especially large healthcare technology companies, face the challenge of following different requirements across various states. Many business associates define data retention in partnership with covered entities in business associate agreements.
