HIPAA Retention Requirements: Know What to Do

Both covered entities and business partners are subject to the HIPAA data retention rules.

HIPAA data retention regulations require covered businesses and business partners to keep certain records on file for a predetermined amount of time.

If a covered entity or business associate is being audited by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), OCR may request the production of these data for inspection.

HIPAA retention requirements can also prevent you from phishing scams, so let us understand what HIPAA retention requirements are.

Medical Record Retention Periods

With this in mind, it’s crucial to understand that each state has different laws about how long medical data should be kept.

Thus, Covered Entities are subject to the laws of the state or states in which they conduct business. According on the type of covered entity and to whom the records relate, the criteria could also change.

For instance, in Florida, doctors are required to retain a patient’s medical data for five years following their last interaction. Medical records, however, must be kept by hospitals for seven years.

In contrast, Texas hospitals must maintain medical records for ten years while doctors must keep them for seven years after their final interaction with the patient. Records that pertain to patients who were minors when they were made must be kept until the patient is 20 years old.

In Nevada, records must be preserved for at least five years for adults and during the patient’s whole twenty-third year if they are a juvenile.

According to North Carolina law, medical records must be kept on file by hospitals for eleven years after a patient has been discharged, or until the patient who was a juvenile when the records were made becomes thirty.

What are the HIPAA Retention Requirements?

Although there are no HIPAA standards for the retention of medical data, the legislation does specify guidelines for the duration of time that other records related to HIPAA should be kept.

According to HIPAA, CEs are required to document any policies, procedures, activities, or assessments taken to abide with HIPAA rules.

According to HIPAA paragraph 45 CFR 164.316(b)(2)(i), such records must be preserved for at least six years from their creation or, if the document described a policy, six years following the policy’s most recent implementation.

The original paperwork must be retained for at least 10 years from the date of creation if a policy was in force for four years before it was either dropped or changed.

The documents covered by the HIPAA record retention guidelines are listed below.

It only represents a portion of the lengthy list that is applicable to CEs and their business partners, but it does include the most often used documents in the healthcare industry.

  • Privacy practises notices
  • patient permissions
  • Risk evaluations and analyses
  • Plans for rehabilitation and emergencies
  • Agreements between business partners
  • Privacy and information security regulations
  • Sanctions for Employees
  • Documentation for incident and breach notification
  • Records of complaints and their resolution
  • Records of physical security maintenance
  • Access records
  • Reviews of IT security systems (including new procedures or technologies implemented),

Similar Posts