HIPAA and Medical Records Retention Requirements

HIPAA and Medical Record

Any organization, agencies or health care provider that stores, processes or transmits medical records, medical claims, remittances, or certifications electronically have to comply with HIPAA regulations.  It is compulsory for all business associates and healthcare facilities to protect and safeguard the personal health information of an individual.

HIPAA and Medical Record1

How long HIPAA compliance Medical records must be retained

The first thing to remember is that there is no HIPAA medical records retention period. It is not clearly stated for how long medical records must be retained under Privacy rule. But it is compulsory for the covered entities and business associates to retain the following data for at 6 years from the date it was created or to the last effective date.

HIPAA and Medical Record
  1. Log records pertaining to views and updates of ePHI
  2. Policies and procedures in effect during the retention period
  3. Security risk analyses
  4. Incident documentation for any privacy and security incidents that occur
  5. Breach notification documentation for any breaches that occur
  6. Employee sanction documentation
  7. Complaint and resolution documentation
  8. Regulatory compliance correspondence and assessment reports
  9. Business associate agreements with service providers and contractors
  10. Information systems activity reviews, decisions made, and investigations conducted
  11. Contingency plans in effect during the retention period
  12. Contingency plan tests
  13. All the data and its movements of hardware and electronic media used to store ePHI.

The thing to notice is that each state has their own requirement regarding the retention of medical records in its laws. The retention period is different from state to state and here we have mentioned the medical records retention policies of some states:-

  1. Florida:- Here it is mandatory for physicians to maintain the medical records for 5 years after the last patient contact. For hospitals it is mandatory to retain the data for 7 years.
  2. Nevada:- Here it is required that heathcare providers must maintain medical records for minimum of 5 years. If the patient is minor then the data should be kept until he reaches 25 years of age.
  3. North Carolina:- In north Carolina it is mandatory to maintain patients’ records for eleven years from the date of discharge.


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *