April 17, 2014

How long to keep medical records under HIPAA?

Travis Good, MD

Co-founder & Chief Technology Officer

It may come as a surprise, but you don’t have to retain medical records according to HIPAA rules. This is a very common misconception with HIPAA. Medical records means electronic protected health information (ePHI) in this case. HIPAA does not have any rules that require covered entities or business associates to retain ePHI. I assume this is a common question for HHS as they have it listed in a HIPAA FAQ.

Point 6 of HIPAA retention rules

The confusion likely stems from two things. First, most states have requirements that covered entities retain ePHI for a certain period of time, even if the covered entity closes its doors; I imagine the most common case of a covered entity closing is a physician retiring. As a covered entitiy, the onus is on you to understand the requirements in the states that you work in and to comply with them.

This is a case I’m personally exposed to right now as a doc friend is retiring and is trying to figure out what to do with his medical records for the next 10 years. His records are all paper and he’s retiring to avoid having to use an EHR. Yes, this does happen and some doctors feel so strongly, in a bad way, about EHRs that they are are retiring early to avoid having to change the way they’ve practiced for 30, 40, or even 50 years.

There are issues that arise when a business associate, such as an EHR company, goes out of business and the covered entity needs to get the records and find a way to store them. We’ve seen this experience too, especially in the case of smaller, specialty specific EHRs and practice management systems. More on this in another post.

The second reason for the misconception about HIPAA and retention of ePHI is that HIPAA does have data retention rules but, oddly enough, they don’t apply to ePHI. Section 164.316(b)(1) of HIPAA require orgs:

(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

Section 164.316(b)(2)(i) goes on to state:

Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

There are lots of policy and documentation requirements in HIPAA, and the rules around data retention apply to those. You should be maintaining all of your policies and documentation that address aspects of HIPAA, and you should plan to retain it all for 6 years at a minimum. You should also maintain all risk assessments, audits, and other documentation related to your organization.

Datica policy and documentation retention

At Datica we use Git for version control on our policies, and the current versions are written in Markdown and maintained in a Master branch. More on why we do this in a separate post.

We backup our current policies using Box. For risk assessments, change and configuration management, vulnerability scanning, and audits we also use Box as a repository. You can see our current policies here - policy.datica.com.

tag HIPAA Healthcare Cloud Open Source Compliance


How do you prove HIPAA compliance?

Travis Good, MD

Co-founder & Chief Technology Officer

Without a doubt, this is one of the most important questions healthcare companies need to ask themselves and their partners: How to prove HIPAA compliance?

event-note March 6, 2015

What is the cost of a HIPAA audit?

Travis Good, MD

Co-founder & Chief Technology Officer

The cost of a HIPAA audit depends on audit type – HIPAA gap assessment, full HIPAA audit, or validated HITRUST assessment – and indirect costs like time.

event-note January 23, 2019

3 Common Misconceptions About Business Associate Agreements

Laleh Hassibi

Vice President of Marketing

HIPAA outlines the types of entities that are covered but the further down the line a subcontractor gets from a covered entity, the more confusion there is.

event-note June 2, 2017

5 Steps to HITRUST CSF Certification

Laleh Hassibi

Vice President of Marketing

Complying with HIPAA and proving it are two very different things. Datica is HIPAA compliant AND can prove it with our HITRUST CSF certification.

event-note June 29, 2017