HIPAA Documentation and Medical Records Retention

As this year comes to a close and it may be time for some practices to review which medical records can be archived. We have been asked many times what is the “difference” between HIPAA documentation vs medical record retention requirements. Many organizations think these have the same requirements, and they do not!

If you are not sure about the differences, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

HIPAA documentation retention:

HIPAA requires that your privacy and security rule policies, procedures, and documentation be retained for at least 6 years from the date of creation or the last date it was in effect. If a policy was implemented three years before it was revised, the original policy must be retained for a minimum of 9 years after its creation. If state privacy law is more stringent, then state law must be followed.

Here is an example of what is covered under HIPAA:

  • Audit logs of access to ePHI
  • Business associate agreements
  • Contingency plans
  • Employee sanction policy and documentation
  • Notice of Privacy Practices
  • Patient authorizations (unless included in their medical record)
  • Patient complaints and resolutions
  • Privacy policies (patient access, amendments, and authorizations)
  • Security incident reports and Breach notification documentation
  • Security policies (administrative, physical, and technical)
  • IT reports that include updates and device status

Medical record retention:

Most people think HIPAA controls the medical record retention requirements. HIPAA is a federal law, and each state has their own set of medical record retention requirements. State retention requirements can vary depending on the type of records and who they belong to.

Florida state law requires medical practices to maintain records for at least 5 years after the last visit. Hospitals are required to retain records for 7 years after the last visit.

Claims may be brought up to 7 years after the incident under the False Claims Act; however, on occasion, the time has been extended to 10 years.

Medicare managed care program providers must also retain their records for 10 years.

Some states required Pediatrics to retain records until the patient reaches the age of 23.

North Carolina has some of the lengthiest requirements, 11 years from the date of discharge and patients that are minors must be retained until 30 years of age.

It is recommended to retain any documentation that may be needed in a personal injury or breach of contract dispute for as long as necessary.

As you can see, there are many variables.

Proper organization of patient records and dates can assist you when the time comes to purge your records. This can also protect you from storing unnecessary records that could be a liability should you suffer a data breach.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information about Aris Medical Solutions call 877.659.2467 or click here to contact us.

“Simplifying HIPAA through Automation, Education, and Support”

Small Medical Practices are Huge Targets!


By Aris Medical Solutions


Many organizations have the attitude that they are too small to be a target for a data breach. Just because you don’t hear about small and medium sized practices being targeted doesn’t mean it is not happening.

Most medical practices are busy treating patients and are not aware of the severity behind this type of threat. Since small and even medium sized practices do not have the infrastructure in place to protect their data, they are a larger target than think. Data breaches can go undetected for months, if not years since they are not watching for it. For instance, if a Pediatric Practice is hacked, those social security numbers can be used for years before it will be discovered.

Many business associates are also targeted because they have access to medical records in different manner. Again, small and midsized organizations that do not have appropriate safeguards in place can wreak havoc in a medical environment. So what can you do?

First of all, conduct a Security Risk Analysis to understand what are your vulnerabilities. This is critical in order to mitigate risks.
Next, have a network security audit performed. Even if you access your data in the cloud and not through an onsite server, you can still be hacked.
Invest in monitoring your network. Know who is accessing your data.
TRAINING IS A MUST! Your employees can be your best asset or your largest liability.

Not only is this required under HIPAA, it is considered best practice in protecting patient data.

Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC