How long must you retain most Hipaa documentation?

HIPAA Compliance

Reading Time: 4 minutes

How long should you retain medical records? It can vary and, while there are no set HIPAA requirements for HIPAA data retention, there are policies you must follow.

For example, while email archiving is not required by HIPAA’s Security Rule, healthcare providers still need to keep communications, including emails, that contain PHI for a minimum of six years. During which time, those records cannot be altered or deleted.

What Is HIPAA and the Privacy Rule?

The Health Insurance Portability and Accountability Act (HIPAA) covers patient information accountability across various healthcare providers and insurance companies. The letter of the law organizes HIPAA and regulations contained therein into three distinct rules:

1. The Privacy Rule, which defines Protected Health Information (PHI) and the responsibilities Covered Entities (CEs) and Business Associates (BAs) have in controlling secure content access.
2. The Security Rule outlines the minimum effective security measures that CEs and BAs have when securing data, including physical, administrative, and technical safeguards.
3. The Breach Notification Rule, which dictates how a CE or BA must notify affected patients and the public more broadly in the event of a data breach.

In terms of protecting medical record storage and data retention, CEs and BAs must adhere to both the Privacy and Security Rules. The Privacy Rule, however, specifically details the requirements for both retaining and destroying PHI.

It is important to note that the time periods specified in the Privacy Rule only address non-medical records (emails, communications, and so on). Instead, medical record retention is outlined by individual states.

What Are the HIPAA Data Retention Requirements for Covered Entities?

Under HIPAA regulations, CEs and BAs must retain medical records for a period of no fewer than six years from the date of creation or the last effective date, whichever is later.

This regulatory standard only applies to specific documents, including:

1. The written or electronic record that designates the organization either a CE or a BA.
2. All documentation of security and privacy procedures that demonstrate HIPAA compliance.
3. HIPAA-required assessment documentation.
4. Data use agreements and other forms required by HIPAA compliance.
5. Signed authorizations provided by patients allowing CEs or BAs to disclose PHI or documentation of efforts to receive those authorizations.
6. Notice of Privacy Practices.
7. Medical and billing records for patients.
8. Documentation of HIPAA compliance officers and any other individuals in the organization responsible for maintaining compliance. This includes names, titles, and contact information.
9. Accounting of any disclosures of any PHI.

Note individual states have their own retention laws that preempt HIPAA.

These data retention requirements are the same for both Covered Entities and Business Associates. Security standards for the storage of data under HIPAA are still the same for long-term data storage, so check with your provider or IT staff to determine your HIPAA compliance.

While online backup isn’t required under HIPAA, HITECH encourages it.

What Are HIPAA-compliant Record Disposal Methods?

Data protection requirements don’t end when CEs and BAs dispose of medical records.

This is because:

• Disposed data storage devices can be recovered, thus disclosing PHI illegally.
• Improperly wiped or erased data storage media can still retain PHI that can be illegally accessed.

HIPAA outlines specific methods for medical record disposal that comply with HIPAA data retention regulations:

1. Any paper records must be either burned, shredded, pulled, or pulverized so that any PHI is rendered unreadable.
2. Prescription bottles containing labels with PHI must be properly destroyed, usually through a third-party BA that can destroy physical objects.
3. Electronic media must be cleared or wiped using special software that removes data. Electronic media can also be physically destroyed through pulverizing or rendered unreadable through degaussing.

Kiteworks Platform: HIPAA-compliant Data Storage and Retention

The Kiteworks platform provides hospitals, clinics, integrated delivery networks, and insurance companies with enterprise-grade file sharing capabilities that give them 100% control over their medical records and other PHI. To do that, we focus on three priorities:

1. Security: All Kiteworks products, including cloud storage and file transfer, are covered by HIPAA-compliant encryption and security protocols so that data, whether it’s at rest or in transit, is protected. You also get secure content access that lets you share PHI from your data repositories to consulting physicians, insurance companies, patients, and other third parties.
2. Compliance: From technical measures to physical and administrative safeguards, Kiteworks helps CEs and BAs demonstrate compliance with HIPAA, GDPR, CCPA, and other data privacy regulations. We also support CEs and BAs that want to ensure that they are compliant with data storage requirements.
3. Visibility: Kiteworks lets security and GRC personnel see, follow, and record who sends what file to whom. Visibility of all file activity lets CEs and BAs control who accesses PHI and demonstrates compliance with HIPAA.

Learn More About Kiteworks

Working with Kiteworks gives you more than compliant HIPAA data retention and backup. We are a partner that can help answer all your questions about file security and protection no matter where it is. We can also help you map out your governance plans so that your HIPAA data retention and disposal requirements are sustainable. Schedule a custom demo of Kiteworks today.

What records must be kept for 10 years?

How often should PHI data be deleted?

What are the Hipaa requirements for data backup?

How long should you keep pi?