HIPAA Makes No Firm Assertion as to Medical Record Retention
The retention of medical records is, unfortunately, not a cut-and-dry sentence highlighted in the opening paragraph of HIPAA privacy.
There are several factors to consider when determining what documents need to be stored and for how long. It is important to realize that HIPAA makes no firm assertion as to medical records retention leaving the long-term storage of medical records to state and other federal laws.
These laws vary from state to state and federal laws vary based on the type of medical record.
HIPAA Federal Regulations
The American Health Information Management Association (AHIMA) has provided a broad table for reference (PDF), for federal record retention requirements, that includes the type of medical documentation, retention period, and relevant citation.
Viewing the table will show that the documentation can vary from “no specified retention periods” (Vaccine information) to “75 years after last date of activity” (Department of Veterans Affairs). Be forewarned that this does not cover all possible documentation.
For example, The Centers for Medicare & Medicaid Services provides direction through the 2005 CFR Title 42. Medicare providers submitted cost reports are required to keep records for “a period of, at least, 5 years after the closure of the cost report” and Medicare managed care providers are required to maintain records for 10 years.
HIPAA State Regulations
In many cases, regulations default to state law and, if the period of time is longer, state law takes precedence. Similar to federal regulations, state law varies wildly, as seen below.
- Florida – Minimum of 5 years since last contact
- Georgia – Minimum of 10 years from the date the record was created
- Illinois – Minimum of 10 years from the last patient encounter, with specifications on specific types of medical records
- Indiana – Minimum of 7 years or until patient reaches 21, whichever is longer.
- Maryland – Minimum of 5 years or until the patient is 21, whichever is longer.
- Michigan – Minimum of 7 years and there requires notification to patient & patient authorization to destroy the record.
- Pennsylvania – Minimum of 7 years since last service was provided, or until the patient is 22, whichever is longer.
- Virginia – Minimum of 6 years from the last patient encounter, or until the patient is 18, whichever is longer.
It is important to note that there are various statutes including malpractice state laws and the False Claims Act that require data retention extending 7 years, and some situations extending to 10. Data retention best practices recommend that all data is retained to comply with relevant statutes and regulations.
Obviously, the above is not an exhaustive list. Each state’s licensure board may provide guidance about record retention and, in the past, organizations such as AHIMA have provided guides covering state laws.
While HIPAA regulations only specify data retention related to the policies and procedures used to comply with the regulation itself (six years, if you are interested), the HIPAA Privacy Rule does require that appropriate technical, administrative, and physical safeguards are applied to protect the privacy of protected health information (45 CFR 164.530(c)). With that in mind, appropriate safeguards can be assumed to be those that comply with relevant state laws.
When trying to wade through the combination of different state laws and federal regulations, it is important to discuss the options and requirements with appropriate legal counsel that has knowledge of such regulations. In general, the best solution is to find the strictest regulation or state law that could be applied and comply with those parameters. Compliance in this way would provide subsequent compliance with any other relevant statute.
Wherever you are in the maturity model of your security program, VerSprite can tailor a range of Governance, Risk, and Compliance Services to fit both your near terms goals and capabilities, while still ensuring that a future vision of an optimized model is obtained. Explore GRC Services →