In some cases, this can mean retaining records indefinitely. This is because – for example – in addition to HIPAA records retention, health insurance companies may be subject to the complexities of FINRA, while employers that are Covered Entities may have to comply with the record retention requirements of the Employee Retirement Income Security Act and Fair Labor Standards Act. It was mentioned above the HIPAA retention requirements can be confusing and when some other regulatory requirements are taken into account, this may certainly be the case. What Else to Consider in Addition to HIPAA Record Retention IT Security System Reviews (including new procedures or technologies implemented).Logs Recording Access to and Updating of PHI.Complaint and Resolution Documentation.Incident and Breach Notification Documentation. ![]() Information Security and Privacy Policies.Disaster Recovery and Contingency Plans.The following list is an example of the most common types of documents subject to the HIPAA document retention requirements but, for example, healthcare clearinghouses do not issue Notices of Privacy Practices, so would not be required to retain copies of them: The list of documents subject to the HIPAA retention requirements depends on the nature of the business conducted by the Covered Entity or Business Associate. These HIPAA data retention requirements preempt state laws if they require shorter periods of document retention. Therefore, if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation. These requirements are covered in 45 CFR 164.316 and 45 CFR 164.530 – both of which state Covered Entities and Business Associates must document policies and procedures implemented to comply and records of any action, activity, or assessment with regards to the policies and procedures, or sufficient to meet the burden of proof under the Breach Notification Rule.īoth standards also stipulate documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. What HIPAA Retention Requirements Exist for Other Documentation?Īlthough there are no HIPAA retention requirements for medical records, there are requirements for how long other HIPAA-related documents should be retained. In North Carolina, hospitals must maintain patients’ records for eleven years from the date of discharge, and records relating to minors must be retained until the patient has reached thirty years of age.In Nevada, healthcare providers are required to maintain medical records for a minimum of five years, or – in the case of a minor – until the patient has reached twenty-three years of age.In Georgia, doctors have to retain any evaluation, diagnosis, prognosis, laboratory report, or biopsy slide in a patient’s record for ten years from the date it was created.In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must maintain them for seven years.In Arkansas, adults´ hospital medical records must be retained for ten years after discharge but master patient index data must be retained permanently.States’ retention periods can vary considerably depending on the nature of the records and to whom they belong. This is because each state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance Portability and Accountability Act – HIPAA does not pre-empt state data retention laws.Ĭonsequently, each Covered Entity and Business Associate is bound by state law with regard to how long medical records have to be retained rather than any specific HIPAA medical records retention period. The reason the Privacy Rule does not stipulate how long medical records should be retained is that there is no mandated HIPAA medical records retention period. ![]() ![]() Why There is No HIPAA Medical Records Retention Period However, Covered Entities and Business Associates are required to provide an accounting of disclosures of Protected Health Information for the six years prior to a request. One of the reasons the lack of HIPAA medical records retention requirements can be confusing is that, under the Privacy Rule, individuals can request access to and amendment of Protected Health Information “for as long as Protected Health Information is maintained in a designated record set”.
0 Comments
Leave a Reply. |