HIPAA Data Retention Requirements
The HIPAA (Health Insurance Portability and Accountability Act) data retention requirements apply to both covered entities and business associates. HIPAA data retention requirements say that every covered entities and business associates must maintain the records of individual’s data for 6 years. It compulsory because if Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) audit any covered entity or business associate, they may ask for this data for inspection.
How long HIPAA compliance records must be retained
Every covered entities and business associates must retain the following data for at 6 years from the date it was created or to the last effective date.
Where Does the Six Year HIPAA Record Retention Guideline Come From?
- Organizations, covered entities and business associates must maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form.
- If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
Section 164.316(b)(2)(i) also says:
Keep the data required by paragraph (b)(1) of this section for six years from the date it was created or from the last date when it was in effect.
Each and every organization should make sure that they keep ePHI safe and secure for at least 6 years to remain in compliance with HIPAA.
What Type of Data Should We Retain?
Below we have mentioned the following records that need to be retained for at least 6years:-
- Log records pertaining to views and updates of ePHI
- Policies and procedures in effect during the retention period
- Security risk analyses
- Incident documentation for any privacy and security incidents that occur
- Breach notification documentation for any breaches that occur
- Employee sanction documentation
- Complaint and resolution documentation
- Regulatory compliance correspondence and assessment reports
- Business associate agreements with service providers and contractors
- Information systems activity reviews, decisions made, and investigations conducted
- Contingency plans in effect during the retention period
- Contingency plan tests
- All the data and its movements of hardware and electronic media used to store ePHI.
Summary of HIPAA Record Retention Requirements
In summary it is clear that HHS require minimum of 6 years of record retention.