“If a tree falls in a forest and no one is around to hear it, does it make a sound?” This philosophical question also highlights a dilemma for businesses subject to HIPAA requirements. Regulatory compliance by itself isn’t enough; You must have the documentation to prove that your organization is taking “reasonable and appropriate” steps to keep protected health information safe and secure. How long do you need to retain these HIPAA compliance records?
What Are HIPAA Data Retention Requirements?
HIPAA regulations require covered entities to maintain detailed records of all compliance activities. Healthcare companies must have a contract on file — known as a Business Associate Agreement — for any third-party vendors that process confidential patient data. If your organization uses Microsoft Teams for telehealth appointments, you would need to keep records of your Microsoft BAA.
HIPAA document retention requirements are covered in Section 164.316 of the Code of Federal Regulations:
“If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
There are related requirements for HIPAA compliance policies and procedures in section 164.530:
“A covered entity must:
(i) Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form;
(ii) If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and
(iii) If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation.
(iv) Maintain documentation sufficient to meet its burden of proof under § 164.414(b).”
The “burden of proof” standard means that OCR doesn’t have to prove non-compliance. Instead, your organization is responsible for demonstrating HIPAA compliance at every step with thorough documentation. How long should you save HIPAA-related files?
How Long Do You Have To Retain HIPAA Compliance Records?
HIPAA regulations require your organization to maintain records of HIPAA compliance for six years. CFR sections 164.316 and 164.530 explain further:
“Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”
Moment-in-time records, such as the results of a specific internal audit, aren’t likely to need updates. Maintain them for six years and then delete or destroy them.
On the other hand, organizational policies, cybersecurity frameworks, and risk documents often require ongoing reviews and modifications. You may need to store these files indefinitely, including the original versions.
State Laws for Medical Records
State laws are another detail you have to keep in mind when determining how long to retain HIPAA compliance records. Many states mandate keeping medical records and patient authorizations for much longer than six years.
For example, Kansas requires hospitals to keep adult medical records for 10 years after the last discharge. Longer state rules take priority over shorter HIPAA timeframes.
Other Regulatory Compliance Standards
Depending on your business operations, you may need to juggle HIPAA retention requirements with other regulatory frameworks, such as:
- FINRA: Health plans, insurers, and brokers must store certain records for six years, including customer communications and emails.
- ERISA and FLSA: Information on disciplinary measures, personal injuries, pensions, and health plans may need to be kept for several years after employment ends, or even indefinitely.
- CMS regulations: Healthcare providers that work with the Centers for Medicare & Medicaid Services need to keep cost reports and related patient documents for up to ten years.
To prevent confusion, a HIPAA compliance program should have a comprehensive list of all regulatory burdens for document retention.
Legal Considerations
Before deleting HIPAA documents related to security, privacy, risk management, employees, or business associates, check with your legal team. You may need to keep BAAs indefinitely in the case of a contract dispute or a data breach caused by third-party negligence.
What Documents Do You Need To Store for HIPAA Compliance?
Virtually every compliance action your organization takes to adhere to HIPAA rules must be recorded. This includes:
- Risk assessments
- Reports from vulnerability scans, penetration tests, and audits
- Governance documents for HIPAA roles and responsibilities
- Incident reports and breach notifications
- Patient authorization forms for PHI disclosures
- Privacy policies and receipt records
- Network logs, backup logs, and other IT security records
You should also keep records related to employee training in HIPAA compliance, PHI, access control, and cybersecurity best practices. Most HIPAA data retention requirements apply to covered entities and business associates alike.
Why Are HIPAA Compliance Records Important?
Document and data retention is a critical part of HIPAA compliance. The right documentation can be the deciding factor in how potential violations play out.
HIPAA Documentation and Data Breaches
In the event of a data breach that exposes PHI, the U.S. Department of Health and Human Services Office for Civil Rights investigates what went wrong. If OCR discovers that your organization did its best to follow HIPAA privacy, security, and breach notification rules, it can clear your organization of responsibility. Without proof of HIPAA compliance, companies can face fines of $10,000 to $50,000 per PHI disclosure, especially if something similar has happened before.
Data retention can also bolster your legal standing in the event of a class-action lawsuit. A recent settlement following a breach cost Tampa General Hospital nearly $7 million. The UnitedHealth data breach affected 190 million Americans — more than half the country — suggesting that the cost of a settlement could be astronomical.
HIPAA Audits
You also need to show HIPAA compliance records during audits. OCR can require an audit if it receives complaints against you, such as allegations from patients.
What happens if a staff member is charged with illegally accessing patient records or leaking sensitive details? With appropriate documentation, you can place the blame squarely on the shoulders of the guilty employee, protecting your organization.
Can You Automate Retention of HIPAA Compliance Documents?
One of the best ways to avoid the complexity of HIPAA compliance record retention timelines is to automate the process. Compliance automation platforms like Compyl can help you keep the right documents in the right places for the right length of time. Contact us to learn more about HIPAA compliance solutions.
