Datica Blog

How long to keep medical records under HIPAA?

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

April 17, 2014   HIPAA Healthcare Cloud Open Source Compliance

It may come as a surprise, but you don’t have to retain medical records according to HIPAA rules. This is a very common misconception with HIPAA. Medical records means electronic protected health information (ePHI) in this case. HIPAA does not have any rules that require covered entities or business associates to retain ePHI. I assume this is a common question for HHS as they have it listed in a HIPAA FAQ.

Point 6 of HIPAA retention rules

The confusion likely stems from two things. First, most states have requirements that covered entities retain ePHI for a certain period of time, even if the covered entity closes its doors; I imagine the most common case of a covered entity closing is a physician retiring. As a covered entitiy, the onus is on you to understand the requirements in the states that you work in and to comply with them.

This is a case I’m personally exposed to right now as a doc friend is retiring and is trying to figure out what to do with his medical records for the next 10 years. His records are all paper and he’s retiring to avoid having to use an EHR. Yes, this does happen and some doctors feel so strongly, in a bad way, about EHRs that they are are retiring early to avoid having to change the way they’ve practiced for 30, 40, or even 50 years.

There are issues that arise when a business associate, such as an EHR company, goes out of business and the covered entity needs to get the records and find a way to store them. We’ve seen this experience too, especially in the case of smaller, specialty specific EHRs and practice management systems. More on this in another post.

The second reason for the misconception about HIPAA and retention of ePHI is that HIPAA does have data retention rules but, oddly enough, they don’t apply to ePHI. Section 164.316(b)(1) of HIPAA require orgs:

(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

Section 164.316(b)(2)(i) goes on to state:

Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

There are lots of policy and documentation requirements in HIPAA, and the rules around data retention apply to those. You should be maintaining all of your policies and documentation that address aspects of HIPAA, and you should plan to retain it all for 6 years at a minimum. You should also maintain all risk assessments, audits, and other documentation related to your organization.

Datica policy and documentation retention

At Datica we use Git for version control on our policies, and the current versions are written in Markdown and maintained in a Master branch. More on why we do this in a separate post.

We backup our current policies using Box. For risk assessments, change and configuration management, vulnerability scanning, and audits we also use Box as a repository. You can see our current policies here - policy.datica.com.

Earlier

There are lots of variables that determine how physicians bill. One, relevant to this data, is the percent of patients in a practice that are on Medicare. It’s hard to compare a practice with 20% Medicare patients to a practice with 80% Medicare patients.

Next Post

How does one go about defining a product? What constitutes a product? Some musings on the topic and approaches that we like to take with some examples from other domains.

Related

How do you prove HIPAA compliance?

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

Without a doubt, this is one of the most important questions healthcare companies need to ask themselves and their partners: How to prove HIPAA compliance?

event-note March 6, 2015

What is the cost of a HIPAA audit?

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

The cost of a HIPAA audit depends on audit type – HIPAA gap assessment, full HIPAA audit, or validated HITRUST assessment – and indirect costs like time.

event-note March 19, 2015

3 Common Misconceptions About Business Associate Agreements

Laleh Hassibi

Vice President of Marketing

HIPAA outlines the types of entities that are covered but the further down the line a subcontractor gets from a covered entity, the more confusion there is.

event-note June 2, 2017

How does GDPR compare to HIPAA?

Travis Good, MD

Co-founder, CEO & Chief Privacy Officer

Though different in who they apply to and how you prove compliance, HIPAA and GDPR are both about having security as a core tenet of operations.

event-note December 11, 2017