HIPAA Record Retention Requirements

The Health Insurance Portability and Accountability Act (HIPAA) or data protection laws are one of the most important pieces of legislation in the American healthcare industry. It provides security provision and data security to maintain patients’ medical data safe. It is basically designed to address the issue of health insurance coverage for people who were between jobs. 


The law has materialized into greater prominence in recent years with the creation of health data breaches caused by cyber attacks and ransom ware attacks on health insurers and providers. Organizations can lower their risk of authoritarian action through HIPAA compliance training programs. 

What Documents are Subject to HIPAA Data Retention Requirements?

The HIPAA record retention requirements authorized that covered entities and business associates should maintain certain records for at least six years, from either the date of creation, or the last “effective date,” whichever date is later: 

  • A written or electronic record of a designation of an organization
  • Information security and privacy policies and procedures implemented to fulfill with HIPAA.
  • All documented settings, activities and measurements required by HIPAA.
  • All data use agreements and other forms supporting HIPAA compliance.
  • All signed authorizations and, where appropriate, written acknowledgments of receipt of the notice or documentation of good faith efforts to acquire such written acknowledgments.
  • The Notice of Privacy Practices for entities that must provide them.
  • Designated documentation sets that are subject to access by individuals.
  • Documentation of the titles of the persons or offices responsible for HIPAA compliance, including not only those with over-all responsibility for compliance, but also those responsible for receiving and processing requests for improvement by individuals, and those responsible for receiving and processing requests for an accounting by individuals.
  • Accounting of disclosures of protected health information (PHI).

HIPAA regulation identifies two types of organizations that must be HIPAA compliant that are Covered Entities (CE) that collects, generates, or transmits PHI electronically; and Business Associates (BA) that encounters PHI in any way over the course of work that it has been constricted to execute. In addition to understanding what HIPAA requires for retention, covered entities and business associates must also know their other legal requirements for retention, from state, federal, international and contractual requirements. 

Leave a Reply

Your email address will not be published. Required fields are marked *