Medical Record Retention, Destruction & HIPAA Compliance

HIPAA legislation establishes national standards of compliance to protect patient medical records and other personal health information (PHI). The HIPAA Privacy Rule requires covered entities to apply acceptable physical, technical, and administrative safeguards to protect the privacy of those medical records and PHI.

PHI includes patient names, geographical identifiers, phone numbers, birth dates, gender, emergency contact information, social security numbers, account numbers, biometric identifiers (like fingerprints), facial images, and more. As such, any record containing this type of information should be safeguarded and retained under HIPAA guidelines. These protected records include patient test results, hospital forms, prescription forms, and more.

The safeguarding of medical records and PHI under HIPAA law also applies to the disposal of records, which is why proper destruction of records after the retention period ends is critical. Under HIPAA law, a secure shredding process is an acceptable proper disposal method of paper records. 

Medical Record Retention For HIPAA Compliance

While HIPAA standards require the safeguarding of medical records and PHI throughout retention, these standards do not establish a set timeframe for medical record retention periods. Retention period time frames for medical records are set at the state level, and may vary from state to state. It is important for your organization to recognize and understand the retention period of your state.  

HIPAA-Related Document Retention

HIPAA-related documents are classified differently from medical records and PHI. These documents include policies and procedures implemented to comply with HIPAA. Under HIPAA law, the retention period for such documents is a minimum of six years, either from when the document was created, last updated, or last in effect (for policies) – whichever is most recent.

HIPAA-related documents include Business Associate Agreements, Disclosure Authorizations of PHI, Access and Updating Logs of PHI, Breach Notification Documents, and more.

Entities that need to maintain HIPAA-related documents are classified as Covered Entities, which include health insurance companies, HMOs, Medicare and Medicaid programs, hospitals, clinics, doctors, pharmacies, dentists, health care clearinghouses, and more. Additionally, business associates of these entities also need to adhere to these requirements, including contractors, subcontractors, and other entities like medical billing companies, lawyers, IT companies, accountants, as well as record storage and destruction companies.

In some cases, health insurance companies may need to retain records for a longer period of time than what is required by HIPAA or by their state in order to comply with the Financial Industry Regulatory Authority (FINRA).

Which Takes Precedent: HIPAA Or Local Laws?

Medical record and PHI retention periods are determined by each state rather than by HIPAA laws. For HIPAA-related policy and procedure documents, however, the minimum retention period of six years will preempt the state law, if the state law requires a shorter period of record retention. 

HIPAA Compliant Document Destruction

Covered entities must apply appropriate physical, administrative, and technical safeguards to protect the privacy of medical records and PHI. Covered entities must also have policies and procedures implemented to address the disposal process of these types of documents. Under HIPAA compliance, the disposal process must limit and prevent unauthorized use and disclosure of medical records and PHI. A proper disposal process for these documents includes the use of a secure shredding container in a secure area, that a certified shredding vendor will pick up to shred the documents. An improper disposal process includes throwing away records into a publicly accessible trash bin or dumpster. 

Penalties For Improper Storage Or Destruction

Improper storage and destruction of HIPAA protected documents are among the most common HIPAA violations, and will result in serious criminal and financial penalties. Recent fines for improper disposal of PHI have exceeded hundreds of thousands, and millions, of dollars.