What are HIPAA’s Records Retention Requirements?

The Healthcare Insurance Portability and Accountability Act (HIPAA) require organizations to keep patient data secure and safe. It improves the portability and accountability of health insurance coverage for employees between jobs, and to combat waste, fraud, and abuse in health insurance and healthcare delivery. The Act also controlled passages to promote the use of medical savings accounts by bringing tax breaks, provide coverage for employees with pre-existing medical conditions, and make simpler the administration of health insurance.


Different types of businesses in the healthcare industry needs to comply with HIPAA regulations, including healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities. All these organizations are expected to be recognizable with every aspect of HIPAA law; the fines for violations are hefty, and ignorance is not deemed to an adequate excuse for a breach. HIPAA law can be difficult but it provides total security to the data of an individual. One area which can cause misunderstanding among covered entities and business associates is HIPAA record retention requirements. HIPAA makes a difference between medical and HIPAA-related non-medical records, which must be treated individually. Here we shall discuss HIPAA’s requirements regarding the retention of each type of record.

What Documents are needed to HIPAA Data Retention Requirements?

  • Privacy Practice Notices
  • Permissions for the Disclosure of PHI.
  • Risk Assessments and Risk Analysis Studies
  • Plans for Disaster Recovery and Contingency Plans.
  • Copies of Business Associate Agreements.
  • Details of Information Security and Privacy Policies.
  • Policies for Employee Sanction.
  • Documents on Incident and Breach Notification.
  • Information on Complaint and Resolution.
  • Records of Physical Security Maintenance.
  • Details of Access to and Updating of PHI.
  • Audits of IT Security Systems

Once one understand the difference between medical and HIPAA-related non-medical records, the requirements are generally quite easy; for medical records, States set the law, but for HIPAA-related non-medical documents, at least of six years is required.  The Security Rule deals specifically with electronically Protected Health Information (ePHI) and stipulates three classes of safeguards required: administrative, physical, and technical; that ensure the confidentiality, integrity, and availability of ePHI.

Leave a Reply

Your email address will not be published. Required fields are marked *