Many doctors and healthcare workers often wonder how long they are required by law to retain Protected Health Information (PHI). The Health Insurance Portability and Accountability Act of 1996 governs a great deal of elements associated with such information, including security measures to prevent unauthorized use or disclosure, who is allowed to view PHI, how third-party business associated are treated, and more. So, how long are covered entities required to keep PHI?
You might be surprised to learn that there's no HIPAA rule requiring covered entities to retain Protected Health Information for any specified length of time. “The HIPAA Privacy Rule does not include medical record retention requirement,” wrote the Health and Human Services (HHS) in a document titled “Frequently Asked Questions About the Disposal of Protected Health Information.” However, this doesn't necessarily mean that it's acceptable to toss out PHI after just a couple of months – even if you follow the appropriate disposal measures.
In most cases, states have their own laws regarding the retention of medical documents. This may be a couple of years, or it could be several decades. Covered entities are required to follow the laws of the state in which the practice. So even if HIPAA doesn't have a specific requirement for the retention of PHI, the state may. Covered entities should familiarize themselves with their respective state's laws to determine the exact length of time they are required to keep Protected Health Information.
The document goes on to say that “HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposals.” In other words, covered entities must implement meaningful and appropriate safeguards for as long as the entity retains PHI.
Furthermore, the HHS requires all covered entities to retain documents related to HIPAA for six years. This includes documents related to HIPAA compliance training, business associated agreement, compliance forms, privacy disclosures, etc. If a document pertains to HIPAA in any way, shape or form, the covered entity must keep it for six years from the date of its creation, as noted in Section 164.316(b)(2)(i) of HIPAA.