Any organization, agencies or health care provider that stores, processes or transmits medical records, medical claims, remittances, or certifications electronically have to comply with HIPAA regulations. It is compulsory for all business associates and healthcare facilities to protect and safeguard the personal health information of an individual.

How long HIPAA compliance Medical records must be retained
The first thing to remember is that there is no HIPAA medical records retention period. It is not clearly stated for how long medical records must be retained under Privacy rule. But it is compulsory for the covered entities and business associates to retain the following data for at 6 years from the date it was created or to the last effective date.

- Log records pertaining to views and updates of ePHI
- Policies and procedures in effect during the retention period
- Security risk analyses
- Incident documentation for any privacy and security incidents that occur
- Breach notification documentation for any breaches that occur
- Employee sanction documentation
- Complaint and resolution documentation
- Regulatory compliance correspondence and assessment reports
- Business associate agreements with service providers and contractors
- Information systems activity reviews, decisions made, and investigations conducted
- Contingency plans in effect during the retention period
- Contingency plan tests
- All the data and its movements of hardware and electronic media used to store ePHI.
The thing to notice is that each state has their own requirement regarding the retention of medical records in its laws. The retention period is different from state to state and here we have mentioned the medical records retention policies of some states:-
- Florida:- Here it is mandatory for physicians to maintain the medical records for 5 years after the last patient contact. For hospitals it is mandatory to retain the data for 7 years.
- Nevada:- Here it is required that heathcare providers must maintain medical records for minimum of 5 years. If the patient is minor then the data should be kept until he reaches 25 years of age.
- North Carolina:- In north Carolina it is mandatory to maintain patients’ records for eleven years from the date of discharge.