When addressing HIPAA retention regulations, the small distinction between HIPAA medical records retention and HIPAA record retention can generate confusion.
The purpose of this article is to explain what records must be kept under HIPAA and what other retention obligations Covered Entities should be aware of.
The HIPAA rules for data retention are actually fairly simple. The requirement in the Privacy Rule that sufficient administrative, technological, and physical measures be implemented to “protect the privacy of Protected Health Information for whatever term such information is maintained” can be confusing for some Covered Entities and Business Associates.
HIPAA Record Retention: The Needed Basics
When it comes to medical records retention legislation, the Health Insurance Portability and Accountability Act (often known as HIPAA) is one of the most significant statutes to be aware of.
This law, which was passed in 1996 to preserve the health coverage of persons who were between employment, is today known as the one that also ensures the medical records retention policy, defines the parties and documents involved, and is the primary document used by providers when drafting an in-house medical retention policy.
The following documents are covered by HIPAA log retention policies and requirements:
- Examination cards, prescriptions, diagnostics tests, operations, and other documents containing personal health information, such as medical history;
- Receipts, patient records with Social Security numbers, bank account details, bills, and other documents containing personal identity information.
When information comes to HIPAA retention policies, there are three primary factors to consider:
- Entities that are subject to the policies;
- Type of documents that fall under the consideration;
- Retention duration (how long Medicare and Medicaid records should be retained for).
HIPAA requires that business associates and covered entities retain the following for at least six years from creation date or last effective date, whichever happens to be later.