HIPAA Retention Requirements for Data Fully Explained
Data retention is a critical part of compliance in the healthcare industry, and HIPAA retention requirements play an important role in how long sensitive patient data is stored, as do states' individual data protection laws.
In this article, we are giving you everything your organization needs to know about how long to secure medical data under HIPAA.
What Are HIPAA Data Retention Requirements?
HIPAA's data retention requirements are the rules governing how long healthcare organizations and Business Associates — any company working with healthcare organizations — must retain specific documents and records related to Protected Health Information (PHI).
Understanding HIPAA retention requirements means more than just complying with the law. It involves implementing best practices to ensure that sensitive data is stored securely and retained for the legally mandated amount of time.
Understanding this is complicated because HIPAA doesn't explicitly require the retention of medical records for a specific length of time. All it does is establish guidelines for keeping medical records and documentation related to privacy practices, security policies, and incident reports.
However, under HIPAA's Privacy and Security Rules, Covered Entities — like healthcare providers and health plans — need to retain PHI and related records for a minimum of six years. The retention period starts from either the date the document was created or when it was authorized by a patient, whichever is later.
In practice, HIPAA retention requirements often intersect with state laws, which may impose additional mandates for how long medical records and other types of health information must be securely stored and retained.
Neither HIPAA nor state laws expect organizations to keep records indefinitely. That would take up too much physical and digital space. However, there are also rules for the safe disposal of records, to safeguard patient data.
The biggest challenge is aligning HIPAA data retention requirements with states' data privacy laws. For example, California and Texas both have different retention periods for patient records.
Healthcare organizations and Business Associates need to be careful about following HIPAA rules and aligning those with state-specific rules.
For more information on HIPAA for healthcare organizations and businesses in the healthcare sector, check out Giva's HIPAA Resource Center.
HIPAA Retention Requirements Explained
HIPAA retention requirements are complicated, particularly because HIPAA was drafted while being conscious of states' rights and state data protection laws.
According to HIPAA's administrative requirements, healthcare entities must keep records related to their privacy and security practices for a minimum of six years.
These records include:
- Privacy and security policies: Written policies that demonstrate how the organization protects PHI
- Risk assessments: Evaluations of potential risks to the security of PHI, which must be documented and retained
- Workforce training documentation: Proof that employees have been trained on HIPAA compliance and data security practices
- Security incidents and breaches: Reports of any security incidents or breaches, including actions taken to mitigate those incidents
Although HIPAA doesn't require medical records (PHI) to be retained for a specific period at the federal level, other regulations — such as those imposed by Medicare and Medicaid — may dictate longer retention periods for billing and claims-related documents.
For example, Medicare providers are meant to retain records for 10 years according to The Centers for Medicare and Medicaid Services (CMS) guidelines.
Other compliance bodies and laws also play a role in the retention of medical and billing records. The Financial Industry Regulatory Authority (FINRA) compliant records and other documents that need to be compliant with the Employee Retirement Income Security Act and Fair Labor Standards Act (ERISA) might have to be kept indefinitely.
State laws also frequently establish retention periods for medical records, which can range from five to ten years depending on the state.
However, there is also an amendment under the Privacy Rule that PHI can be requested by patients "for as long as Protected Health Information is maintained in a designated record set."
For healthcare CIOs and data privacy officers, it's essential to be aware of these varying requirements that can help make sure that retention practices are compliant at both the federal and state levels.
Why Are HIPAA Data Retention Requirements Important?
Staying updated and compliant with HIPAA's data retention requirements, and the relevant laws of the states in which you operate is crucial for several reasons:
- Compliance with HIPAA is mandatory for Covered Entities and Business Associates
- Patient data privacy violations can lead to significant financial penalties and reputational damage
- Organizations that fail to retain the necessary documentation can face fines ranging from $137 to $68,928 per violation, depending on the severity of the breach, and who's to blame (2024 update)
Beyond legal compliance, data retention is essential for maintaining operational efficiency and transparency.
If there's an audit or lawsuit brought by a patient or patient's family, retained documents — such as security assessments, patient consent forms, and incident reports — provide proof that the organization is adhering to HIPAA's privacy and security guidelines.
Without careful data retention, it could be impossible to demonstrate compliance. This can leave an organization vulnerable to both legal and financial risks.
Retention also plays a critical role in protecting patient privacy. Storing and securing PHI for the required length of time ensures that sensitive information remains protected, reducing the risk of data breaches or unauthorized access.
Especially for healthcare organizations, compliant retention practices contribute to continuity of care. This can help ensure that critical patient health records are available when needed, even years after initial treatment.
Types of Organizations Covered Under HIPAA Retention Requirements
HIPAA's data retention rules apply to a broad range of organizations and Business Associates that handle Protected Health Information (PHI).
At the core are Covered Entities, which include:
- Healthcare providers: Such as hospitals, physicians, dentists, nursing homes, and pharmacies
- Telehealth and Tele-medicine providers
- Health insurance plan providers: Including health insurance companies, HMOs, Medicare, and Medicaid programs
- Healthcare clearinghouses: Entities that process non-standard health information into standardized formats, acting as intermediaries between providers and health plans
Business Associates — organizations that perform services for or on behalf of a Covered Entity and require access to PHI — are also subject to HIPAA retention requirements. Business Associates include:
- Third-party billing providers
- IT service providers
- SaaS providers in the healthcare sector
- Data storage vendors
- Law firms and accounting firms that handle PHI on behalf of healthcare organizations
In most cases, the data retention, privacy, storage, and transfer protection burdens are greater for HIPAA Covered Entities than Business Associates.
Regardless, for each, compliance with HIPAA's data retention requirements, state laws, and other legislation (e.g., ERISA and FINRA) is critical for the protection of PHI, and to avoid legal and financial penalties.
Every type of organization must ensure that they have processes and secure systems to store and eventually dispose of records after the appropriate retention period.
Types of Documents and Data Covered Under HIPAA Retention Requirements
There are numerous types of data and documents covered by HIPAA, including:
- Medical records, PHI: Patient health histories, treatment plans, scans, and everything connected to individual patients, whether identifiable or not
- Billing records and insurance payments
- PHI risk analyses
- Policies and procedures related to data security and privacy
- Business Associate Agreements (BAAs)
- Audit logs of systems that store PHI
- Information Security and Privacy Policies (ITSM, ITIL)
- Employee sanction policies, and records of any sanctions and breaches
- Incident and breach notification documentation
- Complaint and resolution documentation
- Physical security maintenance records
- PHI access logs, and the updating of patient records
- IT security system reviews: including new procedures or software that has been implemented or updated
Do check that everything your organization handles is compliant with HIPAA, state laws, and other legislation (e.g., ERISA and FINRA).
Every organization and vendor you work with that has anything to do with medical records also needs to make sure they are compliant.
Timescales for Data and Documents Covered Under HIPAA Data Retention
Although HIPAA itself doesn't explicitly say how long medical records must be retained, there are key timelines in place for related documentation:
- HIPAA Security Rule documentation: Must be kept for at least six years from its creation date or last effective date
- Medical records: While not specified by HIPAA, state laws typically dictate retention periods, often ranging from five to ten years
Samples of State-Specific HIPAA Data Retention Timescales for Medical Practices and Hospitals
The following are just a few examples of the different HIPAA data retention requirements for states in the U.S. See Sprinto's blog post for the full table:
State |
Medical Practice |
Hospital |
California |
6 years |
Adult: 7 years post discharge Minor: Until patient is 28 years |
Florida |
5 years since last contact |
7 years post last record entry |
Nevada |
5 years |
5 years |
New York |
Adult: 6 years Minor: 6 years or until patients age is 19 (whichever is longer) |
Adult: 6 years post discharge Minor: 6 years or or until age 21 (whichever is longer) Deceased: 6 years |
Pennsylvania |
Adult: 7 years Minor: 7 years or until patients age is 22 (whichever is longer) |
Adult: 70 years post discharge Minor: Until patient is 25 years |
Texas |
Adult: 7 years Minor: 7 years or until patients age is 21 (whichever is longer) |
Adult: 10 years post discharge Minor: 10 years or until the patient's age is 20 (whichever is longer) |
7 Best Practices for HIPAA-Compliant Data Retention
Here are seven best practices that healthcare and vendor CIOs and data privacy officers need to know to ensure data retention is compliant with HIPAA.
-
Know and Understand the HIPAA Data Retention Guidelines
Healthcare CIOs and data privacy officers should be very familiar with and trained in HIPAA guidelines. This should also include any other federal and state regulations that apply to data retention.
-
Ensure Internal Processes are HIPAA Compliant
Internal processes need to be evaluated regularly for compliance. This includes document management, access control, privacy, secure storage, and disposal processes.
-
Ensure Software You Use is HIPAA Compliant
CIOs should verify that all software solutions used for storing and managing health data are HIPAA compliant. This includes Electronic Health Record (EHR) systems, cloud storage services, and document management systems.
-
Have Software and Processes Tested for HIPAA Compliance
Routine audits and assessments should be conducted to ensure that both the technology stack and processes are meeting HIPAA standards.
-
Ensure Staff Are Trained on HIPAA Compliance
Ongoing training programs should be in place to educate staff about HIPAA's data retention and privacy rules. Training should cover data handling, storage, and incident reporting.
-
Appoint Designated Privacy Officers
Appointing designated privacy and security officers helps to ensure ongoing compliance and create operational accountability. These officers should oversee data protection and retention protocols.
-
Make Staff and Software Vendors Aware of Consequences of Non-Compliance
Non-compliance with HIPAA data retention regulations can result in significant penalties that can be financial and reputational. It is of utmost importance to communicate these potential non-compliance consequences internally and with external vendors.
What are the Risks of Non-Compliance with HIPAA Data Retention Requirements?
There are several risks if an organization, whether a Covered Entity or Business Associate, is found in violation of compliance guidelines and laws:
- Legal repercussions: Non-compliance can lead to lawsuits, especially if there is a data breach or improper disposal of records
- Financial penalties: HIPAA violations can result in hefty fines per incident, as mentioned above, depending on the severity of the breach, and who's to blame
- Operational disruptions: Non-compliance can cause system audits, reputational damage, and a loss of trust with patients, vendors, billers, and other entities
HIPAA-Compliant Data Retention Frequently Asked Questions (FAQs)
How long does a Covered Entity have to retain a patient authorization for PHI?
A Covered Entity needs to retain any signed patient authorization forms for the disclosure of PHI for a minimum of six years under HIPAA. These six years start either from the date the authorization was created or the date it was last in effect, whichever is later.
Even if the authorization has been revoked or is no longer in use, the authorization document itself must still be retained to demonstrate compliance in the event of an audit or legal inquiry.
Why are IT security reviews counted as HIPAA-related documents?
IT security system reviews are covered under HIPAA-related documents because they are an integral part of HIPAA's Security Rules.
IT security reviews assess an organization's current ITSM and data protection security measures. These help identify vulnerabilities that could jeopardize the protection of PHI. IT vendors, SaaS providers and healthcare organizations need to document these reviews. This way, healthcare organizations can demonstrate that they are actively working to safeguard sensitive data.
In the event of a breach or security incident, these reviews are essential for showing that appropriate risk assessments were conducted and that reasonable safeguards for access to ePHI were set up.
Can Covered Entities and Business Associates be fined for the improper disposal of HIPAA documentation and data?
Yes, both Covered Entities and Business Associates can face significant fines for the improper disposal of HIPAA-related documentation.
Under HIPAA's Privacy Rule, organizations must implement policies and procedures to ensure that PHI is disposed of so that confidentiality is maintained. For example, paper records should be shredded, and electronic data should be securely deleted.
Improper disposal would involve throwing records in the trash without proper safeguards, which can result in expensive penalties (see above), depending on the severity of the offense and whether it was willful or accidental, as well as reputational damage.
What are the Administrative Simplification Regulations of HIPAA?
Because HIPAA is a complex set of laws and guidelines, there's now a set of simplified guidelines that healthcare organizations can refer to. This impacts the safe storage, collection, transfer, and destruction of data and patient records.
The Administrative Simplification Regulations of HIPAA are a set of rules designed to streamline the administration of healthcare information. These regulations include:
- Privacy Rule: Governs the use and disclosure of PHI
- Security Rule: Establishes standards for protecting electronic PHI
- Transactions and Code Sets Rule: Standardizes electronic transactions for healthcare claims and payments
- Unique Identifiers Rule: Requires healthcare providers and employers to use unique identification numbers in electronic transactions
- Enforcement Rule: Lays out the penalties for non-compliance with HIPAA
Does HIPAA ever supersede a state's data retention laws?
HIPAA can and does supersede a state's data protection and retention laws when those laws are less stringent or offer fewer protections for PHI than HIPAA.
However, when state laws impose stricter requirements for the retention or disposal of health data, those state laws take precedence. For example, if a state requires medical records to be retained for ten years (as opposed to HIPAA's six-year rule), the organization must follow the stricter state requirement.
It's essential for healthcare organizations and Business Associates that operate in multiple states to stay informed about the specific retention rules applicable in each jurisdiction.
It's even more important if you have a data center in one state, such as California, and customers in numerous others, all with different data retention laws. Be mindful of that from an operational, data privacy, and security perspective.
What is the burden of proof under the Breach Notification Rule?
Under HIPAA's Breach Notification Rule, Covered Entities and Business Associates must notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media if there's a PHI data breach.
When this happens, the burden of proof is with the Covered Entity to demonstrate that a breach did or did not occur. Organizations must retain documentation of risk assessments and any investigations conducted to determine whether a breach occurred. All of this documentation must be kept for six years.
How long should authorizations for disclosures of PHI be kept?
Authorizations for the disclosure of PHI must be retained for at least six years under HIPAA's Privacy Rule. This period starts from either the date the authorization was created or the date it was last in effect.
Even if the patient later revokes their authorization, the document must still be kept for the full retention period to provide proof of the organization's compliance with HIPAA guidelines.
Are there any HIPAA medical record (ePHI, PHI, etc.) retention requirements?
HIPAA does not directly mandate a specific retention period for medical records, but it does require Covered Entities to retain documentation related to their privacy policies, procedures, and security measures for a minimum of six years.
Medical record retention periods are typically governed by state laws, which often require retention for longer periods, such as five to ten years. Refer to the table above for examples of medical retention record requirements for adult patients, minors, and the deceased.
What are the HIPAA backup retention requirements?
HIPAA's Security Rule requires that organizations create and maintain retrievable, exact copies of electronic PHI (ePHI) to ensure data availability in case of an emergency, system failure, or natural disaster.
These backup copies must be stored in a secure location and be readily available for retrieval as part of a contingency plan.
The Security Rule also mandates that these backups be kept for at least six years, aligning with other HIPAA documentation retention requirements. Backup systems must comply with HIPAA's security standards, ensuring that ePHI remains protected and accessible in the event of an incident.
Conclusion: The Importance of Understanding HIPAA Retention Requirements for Multiple Types of Data
The Health Insurance Portability and Accountability Act (HIPAA) plays a significant role in shaping how organizations handle and store sensitive health information.
HIPAA's retention requirements aren't always straightforward, which can be confusing for healthcare CIOs, data privacy officers, and compliance teams. While HIPAA sets minimum standards for the protection of Protected Health Information (PHI), there are a lot of nuances and gray areas.
Healthcare organizations are still required to retain certain documentation — such as privacy policies, audit logs, and risk assessments — for at least six years.
At the same time, state laws often mandate longer retention periods for patient health records. So, you must factor in state data protection laws, as well.
Giva Software Is HIPAA Compliant
Designed from the ground up for the cloud, Giva's Help Desk and ITSM applications are implemented with HIPAA compliance built in.
Features include:
- Multi-Tier Encryption: Giva's HIPAA-compliant data encryption ensures all protected health information (PHI), electronic health and medical records are secure.
- Multi-Level PHI and EHR Encryption: Giva's hosted help desk solutions use a multi-tiered security strategy to protect personal records.
- HIPAA-Compliant Backups: Daily and weekly backups enable quick data restoration from encrypted backups when needed.
See how Giva can be your HIPAA-compliance support partner! Book a free Giva demo to see our solutions in action, or start your own free, 30-day trial today!