A common question we receive is “how long does HIPAA require us to maintain patient records?”.
There is an important distinction in this regard between what HIPAA does and does not mandate; read on to learn more.
What HIPAA does not require
HIPAA does not mandate a specific medical record retention period. From the Department of Health and Human Services,
The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).
So how long should we maintain patient records?
State law governs how long medical records should be retained. For example, the Medical Board of California outlines situations or government health plans that require providers/physicians to maintain records for a certain period of time.
- 1. Several laws specify a three-year retention period, including Health and Safety Code (HSC) section 1797.98e(b) (for services reimbursed by Emergency Medical Services Fund), and HSC section 11191 (when a physician prescribes, dispenses or administers a Schedule II controlled substance).
- 2. Welfare and Institutions Code section 14124.1 (which relates to Medi-Cal patients) specifies a ten-year retention period.
- 3. The Knox-Keene Act requires that HMO medical records be maintained for a minimum of two years under Title 28 of the California Code of Regulations (CCR) section 1300.67.8(b).
- 4. In Workers' Compensation Cases, qualified medical evaluators must maintain medical-legal reports for five years under Title 8 CCR section 39.5(a).
- 5. HSC section 123145 indicates that providers of health services that are licensed under sections 1205, 1253, 1575, or 1726 shall preserve the records for a minimum of seven years following discharge of the patient.
In short, refer to your state board to determine your local patient record retention requirements.
What HIPAA does require for record retention
HIPAA does have requirements for record retention relating to certain HIPAA-related documents. (You can read more on this in our HIPAA manual section 4.3.10 Documentation and Record Retention).
The Privacy Rule [45 CFR 164.530(j)] stipulates that a covered entity must maintain, until six years after the latter of the date of their creation or last effective date, its:
- 1. Privacy policies and procedures;
- 2. Privacy practice notices;
- 3. Disposition of complaints; and
- 4. Other actions, activities, and designations that the Privacy Rule requires to be documented
This is further expanded in the Security Rule safeguards [45 CFR 164.316(b)(1)] whereby the Documentation standard requires covered entities to:
- 1. Maintain the policies and procedures implemented to comply with the Security Rule in written or electronic form.
- 2. Maintain a written or electronic record of the action, activities, or assessment if required by the Security Rule to be documented.
About Us: