Both covered entities and business associates are subject to HIPAA data retention requirements.
HIPAA record retention rules require covered entities and business associates to keep certain documents for a set period of time.
If the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) audits a covered entity or business associate, OCR may demand production of these records for inspection.
What Documents are Subject to HIPAA Data Retention Requirements?
Business associates and covered entities must keep the following for at least six years from the date of creation or last effective date, whichever comes first.
- A written or electronic record of a designation of an organization as a CE (e.g., health plan, affiliated covered entity, etc.) or BA.
- An organization’s designation as a CE (e.g., health plan, connected covered entity, etc.) or BA is documented in writing or electronically.
- HIPAA-compliant information security and privacy policies and procedures have been developed.
- HIPAA requires all documented settings, actions, and assessments.
- All data use agreements and other HIPAA-compliant documents.
- The Notice of Privacy Practices for entities that must provide them.
- Designated record sets that are subject to access by individuals.
- Documentation of the titles of the people or offices in charge of HIPAA compliance, including not only those with overall responsibility for compliance, but also those in charge of receiving and processing requests for modifications from individuals and requests for an accounting from individuals.
- Accounting of disclosures of protected health information (PHI).
In addition to understanding what HIPAA demands in terms of retention, covered businesses and business partners must be aware of their other legal obligations in terms of retention, which may include state, federal, international, and contractual obligations.
For example, Connecticut state law mandates the retention of medical records for a period of seven years, some of which go beyond HIPAA’s definition of PHI.