HIPAA Record Retention Requirements

HIPAA stands for Health Insurance Portability and Accountability Act also called data protection laws, it is created to provide data processing and security requirements for securing medical information of patients. This law has appeared into greater eminence in recent years with the abundance of health data breaches caused by cyber attacks and viruses or ransom ware attacks on health insurers and providers. HIPAA provide health insurance coverage for patients who lose or change their job, and secure the privacy and protection of healthcare data and help the healthcare industry control administrative costs. HIPAA regulation identifies two types of organizations that must be HIPAA compliant that are Covered Entities (CE) and Business Associates (BA). Covered entities must execute protection to prevent the unofficial disclosure of protected health information (PHI) as detailed in the HIPAA Security Rule. Business Associates encounters PHI in any way over the course of work that it has been constricted to execute. If HIPAA laws are violated by any organization, the business associate can be fined by regulators directly. It is now one of the most essential data privacy and security laws in the US.

HIPAA and Medical Record1

HIPAA states that CEs must record any guidelines, strategies, actions or assessment carried out to fulfill with HIPAA policies. HIPAA Retention Requirements also known as addressable requirements only a division of the widespread list that applies to CEs and their business associates. HIPAA makes a difference between HIPAA related medical and non-medical records, which must be treated individually. All these documents are used across the health sector at least six years from creation date or last effective date, whichever happens to be later.

HIPAA and Medical Record
  • Notices of Privacy Practices for entities that must provide them.
  • Authorizations for the Disclosure of protected health information (PHI).
  • Risk Assessments and Risk Analyses.
  • Disaster Recovery and Contingency Plans.
  • Business Associate Agreements supporting HIPAA compliance.
  • Information Security and Privacy Policies.
  • Employee Sanction Policies.
  • Incident and Breach Notification Documentation.
  • Complaint and Resolution Documentation.
  • Physical Security Maintenance Records.
  • Logs Recording Access to and Updating of PHI.
  • IT Security System Reviews (including new procedures or technologies implemented).

All these documents in the health sector are subject to the HIPAA retention requirements, and depend upon the nature of business carried out by the Covered Entity or Business Associate.

Add a Comment

Your email address will not be published. Required fields are marked *