How long must HIPAA compliance records be retained

HIPAA. The Health Insurance Portability and Accountability Act of 1996.

HIPAA Data Retention Requirements

The HIPAA (Health Insurance Portability and Accountability Act) data retention requirements apply to both covered entities and business associates. HIPAA data retention requirements say that every covered entities and business associates must maintain the records of individual’s data for 6 years. It compulsory because if Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) audit any covered entity or business associate, they may ask for this data for inspection.

HIPAA. The Health Insurance Portability and Accountability Act of 1996.

How long HIPAA compliance records must be retained

Every covered entities and business associates must retain the following data for at 6 years from the date it was created or to the last effective date.

Where Does the Six Year HIPAA Record Retention Guideline Come From?

Section 164.316(b)(1) HIPAA requires that organizations:

  • Organizations, covered entities and business associates must maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form.
  • If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

Section 164.316(b)(2)(i) also says:

Keep the data required by paragraph (b)(1) of this section for six years from the date it was created or from the last date when it was in effect.

Each and every organization should make sure that they keep ePHI safe and secure for at least 6 years to remain in compliance with HIPAA.

What Type of Data Should We Retain?

Below we have mentioned the following records that need to be retained for at least 6years:-

  1. Log records pertaining to views and updates of ePHI
  2. Policies and procedures in effect during the retention period
  3. Security risk analyses
  4. Incident documentation for any privacy and security incidents that occur
  5. Breach notification documentation for any breaches that occur
  6. Employee sanction documentation
  7. Complaint and resolution documentation
  8. Regulatory compliance correspondence and assessment reports
  9. Business associate agreements with service providers and contractors
  10. Information systems activity reviews, decisions made, and investigations conducted
  11. Contingency plans in effect during the retention period
  12. Contingency plan tests
  13. All the data and its movements of hardware and electronic media used to store ePHI.

Summary of HIPAA Record Retention Requirements

In summary it is clear that HHS require minimum of 6 years of record retention.

Leave a Reply

Your email address will not be published. Required fields are marked *