Over the years, we have been asked by a number of our clients as well as prospective clients about HIPAA record retention.
Questions we hear often are:
So what does HIPAA require with regard to retaining electronic protected health information (ePHI)? Unfortunately, the US Department of Health and Human Services (HHS) does not have very clear guidance on record retention.
The HHS website states, “The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).”
States have differing ePHI record retention requirements for Covered Entities, and by association, Business Associates of Covered Entities. These retention requirements must be complied with even when a Covered Entity or a Business Associate goes out of business. Patients may need access to their health records years after a treatment occurred. If a Covered Entity has gone out of business since the treatment occurred and the patient cannot gain access to their treatment information, it could have a negative impact on the patient.
Research your particular state’s requirements and be sure that your organization is retaining ePHI and PHI according to your state’s requirements.
Most companies and organizations realize that ePHI should be retained for some period of time.
Section 164.316(b)(1) HIPAA requires that organizations:
“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
Section 164.316(b)(2)(i) also says:
“Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”
To ensure that your organization remains in compliance with HIPAA, we recommend retaining ePHI in accordance with the six year retention rule outlined above. Also, see this HHS whitepaper describing HIPAA record retention requirements.
What, exactly, are the actions, activities, or assessments HIPAA is speaking of that need to be documented and retained? The documentation we believe to be subject to the six year record retention requirement includes the following records, among potential others:
We realize that retaining all of your organization’s ePHI for six years or more may be costly. Since HIPAA does not provide crystal clear guidance with regard to HIPAA record retention, we usually recommend that organizations wishing to archive or delete ePHI do so with a thoughtful risk based approach.
For example, an organization may choose to delete certain less important ePHI and retain only key ePHI related to patient treatments and logs of who accessed ePHI and when. If your organization is struggling with which ePHI to retain, we recommend assessing data retention in your risk assessment process and evaluating the risks related to archiving certain data. If your risk assessment supports archiving certain ePHI and retaining other ePHI, we recommend archiving the less important data and retaining a record of the applicable risk assessment. If you would like to discuss HIPAA audits and compliance further, please see our HIPAA audits page.
In summary, HHS does not provide specific HIPAA record retention requirements for ePHI, however, HHS does provide guidance within Section 164.316(b)(2)(i) that requires that HIPAA related policies and procedures should be retained for six years. HHS recommends six years as a minimum guideline for HIPAA record retention in the absence of more specific guidance.
See the following past HIPAA related posts on the Linfordco blog:
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.