HIPAA requires that business associates and covered entities retain the following for at least six years from creation date or last effective date, whichever happens to be later.
- A written or electronic record of a designation of an organization as a CE (e.g., health plan, affiliated covered entity, etc.) or BA.
- Information security and privacy policies and procedures implemented to comply with HIPAA.
- All documented settings, activities and assessments required by HIPAA.
- All data use agreements and other forms supporting HIPAA compliance.
- All signed authorizations and, where applicable, written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgments.
- The Notice of Privacy Practices for entities that must provide them.
- Designated record sets that are subject to access by individuals.
- Documentation of the titles of the persons or offices responsible for HIPAA compliance, including not only those with over-all responsibility for compliance, but also those responsible for receiving and processing requests for amendments by individuals, and those responsible for receiving and processing requests for an accounting by individuals.
- Accounting of disclosures of protected health information (PHI).
In addition to understanding what HIPAA requires for retention, covered entities and business associates must also know their other legal requirements for retention, from state, federal, international and contractual requirements. For example, Connecticut state law requires that medical records, some of which go beyond HIPAA’s definition of PHI, be maintained for 7 years.