What is the retention period for medical records under HIPAA?

HIPAA regulations include guidelines for retaining protected health information (PHI) records and factors that influence retention periods which healthcare organizations and other entities handling PHI must be aware of.

Understanding HIPAA's retention requirements

• The HIPAA privacy rule is designed to safeguard the privacy and security of PHI. While it does not specify a specific retention period for PHI records, it sets the foundation for the general principles. The privacy rule focuses on ensuring that covered entities establish appropriate safeguards to protect the confidentiality and integrity of PHI throughout its lifecycle.
• The HIPAA security rule offers guidance specifically for electronic protected health information (ePHI) retention. The security rule emphasizes the importance of protecting ePHI from unauthorized access, disclosure, alteration, or destruction. While it does not provide specific retention periods, it requires covered entities and business associates to establish policies and procedures for the retention and disposition of ePHI.

Related: The guide to HIPAA compliant text messaging

HIPAA security rule's guidance on ePHI retention

The HIPAA security rule requires covered entities and business associates to have retention policies in place. These policies should outline the specific timeframes for retaining ePHI, taking into account factors such as :

• State laws
• Contractual obligations
• Other legal requirements.

The recommended guideline is to retain ePHI for at least six years from the date of creation or the date of the last effective date, whichever is later. 

This timeframe allows for compliance with the minimum retention requirement set forth by the HIPAA privacy rule. However, organizations should consider that some states have specific laws mandating longer retention periods for certain types of health information.

Related: Understanding medical record retention requirements by state

Factors influencing retention periods

1. State laws: State laws may impose longer retention periods for PHI records. Organizations must be aware of the specific requirements in the states where they operate and ensure compliance with HIPAA and state regulations.
2. Contractual obligations: Healthcare organizations often work with third-party vendors, such as electronic health record providers or medical billing companies. These contracts may include provisions related to data retention. Organizations must review and adhere to the retention requirements outlined in such contracts.
3. Medical board requirements: Medical boards or licensing bodies may have regulations regarding record retention for healthcare providers. Organizations should be aware of these requirements and ensure compliance to maintain professional licensure.
4. Litigation and legal proceedings: Legal proceedings, such as medical malpractice lawsuits or insurance claims, may necessitate the retention of PHI records beyond the minimum requirements. Organizations should consult with legal professionals to determine the appropriate retention periods in such cases.

Proper retention of PHI records is a component of HIPAA compliance. While the HIPAA privacy rule does not provide specific retention periods, the HIPAA security rule offers guidance for retaining ePHI. Organizations should establish policies and procedures that align with the minimum retention period of at least six years from the date of creation or the date of the last effective date.