So what does HIPAA require with regard to retaining electronic protected health information (ePHI)? Unfortunately, the US Department of Health and Human Services (HHS) does not have very clear guidance on record retention.
The HHS website states, “The HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. https://www.hipaanswers.com/hipaa-violation-penalties/
States have differing ePHI record retention requirements for Covered Entities, and by association, Business Associates of Covered Entities. These retention requirements must be complied with even when a Covered Entity or a Business Associate goes out of business. Patients may need access to their health records years after a treatment occurred. If a Covered Entity has gone out of business since the treatment occurred and the patient cannot gain access to their treatment information, it could have a negative impact on the patient.
Most companies and organizations realize that ePHI should be retained for some period of time.
Section 164.316(b)(1) HIPAA requires that organizations:
“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
Section 164.316(b)(2)(i) also says:
“Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”
To ensure that your organization remains in compliance with HIPAA, we recommend retaining ePHI in accordance with the six year retention rule outlined above