HIPAA Retention Requirements: Know What to Do

Lost in a sea of patient records and unsure how long you need to keep them? You're not alone! HIPAA compliance can be tricky when it comes to record retention, but staying informed can help you avoid unnecessary risks. Our latest blog breaks down everything you need to know about HIPAA retention requirements so you can stay compliant and protect patient data.

What Does HIPAA Stand For?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created to protect the privacy and integrity of protected health information. HIPAA is a federal law enforced by the US Department of Health and Human Services (HHS).

HIPAA protects all forms of protected health information (PHI). The HHS describes PHI as all information connected to a person's past, present, or future health condition, including treatment and payment. There are currently 18 examples of PHI, some of which include email addresses, IP addresses, fax numbers, phone numbers, and so on.

To ensure protection, the HHS enforces different HIPAA rules. For example, the Privacy Rule expects covered entries to use PHI in a manner that protects the patient from unauthorized identification. This means that PHI in all media forms must remain private. In cases where information is made public, it must be de-identified. Also, the Privacy Rule regulates how PHI is stored, transferred, processed, and even destroyed.

What Are the HIPAA Retention Requirements for Health Records?

 The HIPAA regulates how health records are retained. Under the Privacy Rule, HIPAA requires all covered entries and business associates to keep records of actions, policies, procedures, and other training attestations for at least 6 years from creation or from when the policy was last implemented. For example, if a policy was in place for five years before it was stopped or altered, the original documentation must be kept for at least 11 years after it was created.  Other documents subject to the record retention rule include:

• Patient authorization
• Risk assessments
• Notices of privacy practices
• Employee sanction policies
• incident and breach notification
• Business associate agreements
• Access logs
• IT security system reviews

What Does the HIPAA Privacy Rule Require for Retaining Medical Records?

The Privacy Rule does not dictate a set time for retaining medical records. This is because various factors influence the duration of retention. Some of these factors include:

• Provider type (e.g., medical office vs hospital)
• Patient age (e.g., adult vs minor)
• Information type (e.g., full medical records vs basic identifying information)
• Patient status at the time of discharge, where applicable.

In addition, the duration of retention is also influenced by state laws. Each state has its own rules prescribing how long entities must retain health records. In some cases, regulations can also vary within states.

Overall, certain types of entities may need to hold onto patient health records longer than others, and some types of records must be kept longer than others regardless of the entity holding them. Although the HIPAA makes no recommendations on the duration of retention, it does demand that entities:

• Store and protect retained files to the same high standards as active files
• Have clear and appropriate policies and procedures around record retention
• Dispose of records using HIPPA-approved measures when the time comes
• Be able to document their records policies and record handling to prove compliance
• Dispose of hardcopy documents using any of these: disintegration, melting, incineration, pulverization, and shredding. Recommended disposal methods for electronic records include clearing or printing. Entities can dispose of files themselves or hire qualified service providers to do it for them. In either case, they need to be able to document their compliance.

Medical Record Retention Requirements by State

Most states have two separate sets of guidelines on how long to keep HIPAA data. The first set applies to medical doctors and their practices. The second applies to hospitals. For example, in Florida, doctors are required to keep a patient's medical records for 5 years from the last contact with the patient while hospitals keep theirs for 7 years. In Texas, doctors are required to do so for 7 years while hospitals do for 10 years.

Some states, such as Minnesota, require hospitals to hold onto records indefinitely in electronic or microfilm form. Overall, state laws require medical providers to:

• Keep adults' records between six and 10 years
• Keep minors' records until several years past the age of majority or longer
• Base record retainment periods on when patients last received care

For a comprehensive and detailed breakdown of each state's laws and how they differ, you can see the federal government's official list here.

Common HIPAA Retention Mistakes

Mistakes happen when employers fail to meet all of HIPAA retention requirements. These mistakes inadvertently trigger a violation of HIPAA privacy rules, security rules, or both. Common mistakes include:

Improper Documentation

We think it's unlikely that employers will forgo documentation altogether. But it is very possible to document improperly. What, then, is the proper way to document? It depends on the context. Take a business associate agreement for example. Most people will agree that covered entities must have a written agreement with their business associates. But did you know that you should also have an agreement with the subcontractors of your business associates? One way to avoid this mistake is to take accredited in-depth HIPAA courses. Our HIPAA for business associates is a great example.

Improper Disposal of Records

This is a common mistake. Improper disposal of records puts the privacy and integrity of patients' PHI at risk. The consequences of improper disposal can be severe. In 2022, the OCR fined a beauty clinic in New England $300,640.  A year before this, the establishment had dumped labeled specimen bottles in a regular dumpster. The labels contained patients’ names, addresses, dates of birth, and even the names of the personnel who collected the specimen, putting the PHI of 58,106 patients at risk.

A good way to avoid this mistake is to train the entire workforce properly in HIPAA compliance. This training must not only cover the principles of HIPAA but adapt it to different work contexts. For example, our courses, HIPAA for dental offices, HIPAA for medical staff, and HIPAA for health workers, not only cover the principles of HIPAA rules and regulations but also discuss topics that are unique to each job description.

Premature Disposal

Premature disposal puts employers at risk of noncompliance penalties from the OCR. If a patient is refused access to a record because it has been deleted prematurely, the OCR will penalize the covered entity. Premature disposal also exposes covered entities to other legal risks. For example, imagine a patient were to take legal action against a covered entity; it would be difficult to meet certain legal requirements or even defend a claim if the necessary documents were no longer available.

In conclusion, it's important to distinguish the different HIPAA data retention policies for medical records from health records. It's also important to know how these requirements work to protect the privacy and integrity of PHI. You should also know how to create a HIPAA data retention policy that can serve as a guide for all members of staff.

Begin Your HIPAA Journey Today

Staying compliant with HIPAA retention requirements can help protect patient data and avoid costly penalties. By understanding the guidelines and implementing best practices, healthcare professionals can maintain secure and efficient record-keeping systems. Don’t leave compliance to chance. Enroll in our online HIPAA training today to ensure you, your team, and your organization are following the law. We offer courses for healthcare workers, medical staff, business associates, and dental offices. Start your journey now!