Both covered entities and business partners are subject to the HIPAA data retention rules. HIPAA data retention regulations require covered businesses and business partners to keep certain records on file for a predetermined amount of time. If a covered entity or business associate is being audited by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), OCR may request the production of these data for inspection.
According to the Health Insurance Portability and Accountability Act (HIPAA), covered entities and business partners must keep all necessary HIPAA records for a minimum of six (6) years after their creation or the last time they were in use, whichever comes first.
HIPAA Records Retention Time Period
Health companies must keep HIPAA data for six years even in states with shorter retention periods.
Laws governing medical record preservation are influenced by a number of circumstances. The guidelines for adults and minors fluctuate based on the type of patient. Records for patients under the age of 18 must be kept once they reach majority for a predetermined period of time. Records of patients who have passed away must also meet regulations in some states, including Oklahoma and New York. Additionally, hospitals and medical professions are subject to different legislation in other states. It is significant to remember that accrediting bodies have unique rules that health firms must comprehend and adhere to.
Consult a government chart given by HealthIT.gov that outlines the requirements for record retention to learn the rules governing the retention of medical records in your state. Check frequently to be sure that no new record retention legislation is being discussed because state legislatures have the power to change existing laws. Consult the website HealthIT.gov for information on regional representatives and frequently asked questions if you have any.
Consider your approach for data retention carefully when deciding how to comply with state standards. Medical records are not subject to HIPAA retention regulations, however there are guidelines regarding how long other HIPAA-related papers should be kept on file. These requirements are outlined in 45 CFR 164.316 and 45 CFR 164.530, both of which state that Covered Entities and Business Associates must keep records of all actions taken, activities performed, and assessments made in relation to the policies and procedures in order to comply with the Breach Notification Rule.