HIPAA Retention Requirements: Know What to Do

  Recent audits suggest that two-thirds of covered entities fail to comply with one or more aspects of HIPAA law. These failures can be costly. In the wake of this news, many covered entities are re-examining HIPPA rules and their compliance with them. One area of intense focus and concern is the topic of HIPAA retention requirements. What is the HIPAA privacy rule requirement for the retention of health records? Is it the same for everyone? Here are the facts.

What Is the HIPAA Privacy Rule Requirement for the Retention of Health Records?

There is a great deal of confusion about how long covered entities must keep medical records to be HIPAA compliant. Much of this confusion stems from the fact that the HIPAA Privacy Rule does not dictate a set length of time for which entities must retain client medical records. Instead, the Privacy Rule defers to states on this point. This does little to make the rules easier to understand, however. As it stands, each state has its own rules prescribing how long entities must retain health records. Moreover, these regulations can vary not only by state but within states. How long a provider must keep patient health records varies by:

  • Provider type (e.g. medical office vs hospital)
  • Patient age (eg. adult vs minor)
  • Information type (e.g. full medical records vs basic identifying information)
  • Patient status at the time of discharge, where applicable

As a result, certain types of entities may need to hold onto patient health records longer than others. Similarly, some types of records must be kept longer than others regardless of the entity holding them. What HIPAA's Privacy and Security Rules do demand is that entities:

  • Store and protect retained files to the same high standards as active files
  • Have clear and appropriate policies and procedures around record retention
  • Dispose of records using HIPPA-approved measures when the time comes
  • Be able to document their records policies and record handling to prove compliance

HIPAA Data Destruction Policy

In most cases, neither HIPAA nor individual states dictate what form medical records must be kept in. Entities may keep documents in hard copy or digitally so long as they are held and managed to appropriate safety standards. However long entities hold on to information, HIPAA regulations require that entities dispose of hard-copy documents using one of the following methods:

  • Disintegration
  • Pulverization
  • Melting
  • Incineration
  • Shredding

Entities can dispose of files themselves or hire qualified service providers to do it for them. In either case, they need to be able to document their compliance. Per the HIPAA Security Rule, entities may dispose of digital files via clearing or purging. Again, entities may do this themselves or contract with someone else to do it and must be able to show compliance.

Medical Record Retention Requirements by State

Most states have two separate sets of record retention guidelines. The first set applies to medical doctors and their practices. The second applies to hospitals. This division reflects the different types of care patients tend to receive in each setting. It also reflects common differences in the types of records each setting creates and their uses. Thus, state laws usually call for medical providers to:

  • Keep adults' records between six and 10 years
  • Keep minors' records until several years past the age of majority or longer
  • Base record retainment periods on when patients last received care

By contrast, state laws often call for hospitals to keep records for 20 to 30 years after patient discharge. Some states, such as Minnesota, require hospitals to hold on to records indefinitely in electronic or microfilm form. They may also contain special regulations pertaining to situations such as:

  • Patients' soundness of mind at the time of discharge
  • Patients' age at the time of discharge
  • Incidences of wrongful death

To further complicate matters, there is no national standard on when records retention countdown begins. Some start counting the day an entity creates a record. Others start counting on the date that a patient was discharged or last served in any capacity. At the same time, some states have almost no laws at all. Wyoming, for instance, places no formal restrictions on record-keeping the way that other states do.

State Requirements Around Patient Age

Both hospital and medical doctor records retention guidelines tend to be further broken down by patient age. Different rules apply to minors' records than adults' records. Laws surrounding minors' records often reflect the facts that:

  • Minors usually cannot request or hold their own records independently
  • Minors need and deserve an opportunity to request copies of their own records once they reach majority
  • Lawmakers want to give minors ample opportunity to access their records once they are of age or emancipated

For a comprehensive and detailed breakdown of each state's laws and how they differ, see the federal government's official list.

Mitigating Circumstances

Special circumstances can alter the rules in effect at any given time. For example, additional regulations and restrictions go into place when:

  • Patients die a wrongful death
  • There are open legal requests for the records in question
  • The records in question are relevant to an ongoing legal case

These qualifiers are important to take into consideration when:

  • Writing and updating policies and procedures
  • Planning for record-keeping and disposal
  • Training staff
  • Performing HIPAA compliance audits

HIPAA Retention Requirements for Other Documents

When covered entities think of the data retention requirements HIPAA rules set out, they often think first and foremost of health records. While this is understandable, it can lead to glaring gaps in record-keeping and record-retention policies. This is because while HIPAA does not lay out a standardized time frame for keeping patient medical records, it does establish retention times for other types of documents. Entities must keep the following documents:

  • Business associate contracts and agreements
  • Documentation of breach notifications
  • Documentation of employee sanctions
  • Analyses of security risks
  • IT system reviews
  • Privacy practices and policies
  • Disaster contingency plans
  • PHI reviewing logs
  • Records of physical security maintenance and updates

They must retain these records for at least six years starting either on the date the file was created or the last day it was valid, whichever is later.

State Rules vs HIPAA Rules

Individual states may have their own regulations on how long entities must keep these same documents. By law, entities must comply with whichever terms are longer. For example, if an entity's state has an eight-year limit, it would keep documents for eight years as that is the longer timeframe. If an entity's state has a four-year limit, the entity would keep documents for HIPAA's required six years as that is the longer period. It is critical to keep in mind that entities with campuses in multiple states may face several different standards. In these cases, it is often best to keep records for the maximum applicable length of time. This avoids accidental violation of any standards.

Special Circumstances

While the six-year rule applies to most non-Health Record documents, there are exceptions. Entities that submit cost reports to The Centers for Medicare & Medicaid Services (CMS) must keep those reports for no less than five years. Medicare managed care program providers must keep their records for at least 10 years, per CMS regulations. Some documents cannot be disposed of at all. Documents governed by the Employee Retirement Income Security Act and Fair Labor Standards Act are good examples. Entities must hold these documents in perpetuity.

Managing Documents

Between HIPAA backup retention requirements, state laws, and special circumstances, document management can be challenging. Covered entities often struggle to:

  • Identify all the applicable rules
  • Craft policies that comply with all the applicable rules
  • Articulate policies clearly and concisely in ways everyone can follow
  • Verify and document that they are in compliance

The best way to accomplish these goals is to perform a comprehensive data audit. This enables entities to clarify and see at a glance:

  • What data they handle
  • What rules apply to that data
  • Where policies need updating to achieve compliance
  • What training employees and business associates need to achieve compliance

If that sounds like an enormous undertaking, that's because it often is. Fortunately, it is not a project that entities need to complete alone. The training aspect, in particular, is often best handled by outsourcing. Entities can take advantage of pre-existing courses for:

  • Business associates
  • Health care workers
  • Human Resources professionals
  • Medical and Dental office staff

They can also use state-specific courses where applicable. This can help entities who have put in the hard work to get compliant remain in compliance moving forward.

Learn More

Learn more about how the right training can help covered entities achieve and maintain compliance with HIPAA retention requirements today. Contact us and let our experts help you source the tools and resources you need without delay.

For 2021 Guidelines for Healthcare Workers, please click here. For 2021 Guidelines for Business Associates, please click here.