How long must you retain most Hipaa documentation?
HIPAA Compliance Show
Reading Time: 4 minutes How long should you retain medical records? It can vary and, while there are no set HIPAA requirements for HIPAA data retention, there are policies you must follow. For example, while email archiving is not required by HIPAA’s Security Rule, healthcare providers still need to keep communications, including emails, that contain PHI for a minimum of six years. During which time, those records cannot be altered or deleted. What Is HIPAA and the Privacy Rule?The Health Insurance Portability and Accountability Act (HIPAA) covers patient information accountability across various healthcare providers and insurance companies. The letter of the law organizes HIPAA and regulations contained therein into three distinct rules:
In terms of protecting medical record storage and data retention, CEs and BAs must adhere to both the Privacy and Security Rules. The Privacy Rule, however, specifically details the requirements for both retaining and destroying PHI. It is important to note that the time periods specified in the Privacy Rule only address non-medical records (emails, communications, and so on). Instead, medical record retention is outlined by individual states. What Are the HIPAA Data Retention Requirements for Covered Entities?Under HIPAA regulations, CEs and BAs must retain medical records for a period of no fewer than six years from the date of creation or the last effective date, whichever is later. This regulatory standard only applies to specific documents, including:
Note individual states have their own retention laws that preempt HIPAA. These data retention requirements are the same for both Covered Entities and Business Associates. Security standards for the storage of data under HIPAA are still the same for long-term data storage, so check with your provider or IT staff to determine your HIPAA compliance. While online backup isn’t required under HIPAA, HITECH encourages it. What Are HIPAA-compliant Record Disposal Methods?Data protection requirements don’t end when CEs and BAs dispose of medical records. This is because:
HIPAA outlines specific methods for medical record disposal that comply with HIPAA data retention regulations:
Kiteworks Platform: HIPAA-compliant Data Storage and RetentionThe Kiteworks platform provides hospitals, clinics, integrated delivery networks, and insurance companies with enterprise-grade file sharing capabilities that give them 100% control over their medical records and other PHI. To do that, we focus on three priorities:
Learn More About KiteworksWorking with Kiteworks gives you more than compliant HIPAA data retention and backup. We are a partner that can help answer all your questions about file security and protection no matter where it is. We can also help you map out your governance plans so that your HIPAA data retention and disposal requirements are sustainable. Schedule a custom demo of Kiteworks today. Sign Up to Get Periodic Updates and News from Kiteworks What records must be kept for 10 years?You must be able to produce receipts, invoices, canceled checks or bank records that support all expense items. You should also keep sales slips, invoices or bank records to support all income items. These records should be retained for at least 10 years after they have expired.
How often should PHI data be deleted?It appears that most recommendations say 10 years are sufficient, unless you identify a reason to retain the records longer. Whatever you do, make sure you have proper security measures in place to protect the records indefinitely, and consult with your legal counsel on their recommendations.
What are the Hipaa requirements for data backup?Data must be stored for six years and all of it must be restorable at any point. EHR data must also be recoverable during emergencies. The three plans for backup recovery are the data backup, a disaster recovery plan, and an emergency mode operations plan.
How long should you keep pi?PIs are typically 8 – 12 weeks long. The most common pattern for a PI is four development Iterations, followed by one Innovation and Planning (IP) Iteration.
|