HIPAA Data Retention Requirements: State-Wise Policies
Anwita
Oct 01, 2024Health care services that are privy to protected health information (PHI) and facility policies are legally bound to retain it in the original format throughout its lifecycle. HIPAA offers guidelines for retaining it but is often confusing and difficult to decipher. Nevertheless, HIPAA data retention laws are not to be neglected as non compliance can prove to be a costly affair.
But worry not, we untangle the regulatory knots and break down the requirements. This article helps you understand what HIPAA data retention means, the laws around it, and how to approach it.
What is HIPAA data retention?
HIPAA data retention is the period till which healthcare service providers can keep medical record data (PHI) and records of the practice in their database. There is no fixed retention period for PHI but the privacy rule does establish for how long other practice records should be retained.
HIPAA data retention regulations are applicable to business associates (BA) and covered entities (CE). This includes data in any format; electronic, paper, microfil, DVD, images, X-ray, and more.
Here’s a tool to help you determine if you’re a covered entity:
HIPAA data retention requirements for medical records (state wise)
Medical record refers to data related to healthcare related information that a medical practitioner uses to offer healthcare services and make treatment related decisions. This includes medical history, billing data, test result, clinical diagnosis records, and other official documents protected by HIPAA privacy and security laws.
As outlined above, the privacy rule of HIPAA does specify an expiry date for patient health records. This is because the retention limit is not consistent – each state has their own schedule on how long CEs and BAs should maintain medical records. The retention limit depends on factors like the type of service provider, age of the patient, type of record, and condition of the subject at the time of discharge.
Additionally, HIPAA provides patients the right to access their medical data or request to edit it.
The table below illustrates how long PHI must be retained in each state from the time of its creation.
State | Medical practice | Hospital |
Alabama | As long as required for treatment and legal purposes | 5 years |
Alaska | 6 years | Adult: 7 years after discharge Minor: 7 years after discharge or till patient’s age is 21 (whichever is longer) |
Arizona | Adult: 6 years from date of service Minor: 6 years from date of service of till patient’s age is 21 (whichever is longer) | Adult: 6 years from date of service Minor: 6 years from date of service of till patient’s age is 21 (whichever is longer) |
Arkansas | 6 years | Adult: 20 years post last discharge. Master patient index to be retained permanently. Minor: Full medical record to be retained till the patient is 20 years. |
California | 6 years | Adult: 7 years post dischargeMinor: Till patient is 28 years |
Colorado | 6 years | Adult: 10 years post last discharge Minor: Till patient is 28 years |
Connecticut | Adult: 7 years since last treatment date Minor: 3 years post death | 10 years post last discharge |
Delaware | 7 years since last entry | 6 years |
D.C. | Adult: 3 years since last visit Minor: 3 years since last visit or till patient is 21 years (whichever is longer) | 10 years post discharge |
Florida | 5 years since last contact | 7 years post last record entry |
Georgia | 10 years from the date of last entry | Adult: 5 years post dischargeMinor: Till patient is 23 years |
Hawaii | Adult: Full records till 7 years of last entry and basic data for 25 years after last entry Minor: Full medical records till patient is 25 years and basic data till patient is 43 years (or 25 years after they turn 18) | Adult: Full records till 7 years of last entry and basic data for 25 years after last entry Minor: Full medical records till the patient is 25 years and basic data till the patient is 43 years (or 25 years after they turn 18) |
Idaho | 6 years | 5 years post lab test and records |
Illinois | 6 years | 10 years |
Indiana | 7 years | 7 years |
Iowa | Adult: 7 years last date of serviceMinor: Till patient is 18 years old | 6 years |
Kansas | 10 years | Adult: 10 years post last discharge (full records) Minor: 10 years post last discharge or till the patient is 19 years (whichever is longer) Summary of destroyed records for both: 25 years |
Kentucky | 6 years | Adult: 5 years after dischargeMinor: 5 years post discharge or till patients age is 21 (whichever is longer) |
Louisiana | 6 years | 10 years post discharge |
Maine | 6 years | Adult: 7 years Minor: Till patient is 24 years. Patient logs and X ray results on papers are to be maintained permanently |
Maryland | Adult: 5 yearsMinor: 5 years or till patients age is 21 (whichever is longer) | Adult: 5 yearsMinor: 5 years or till patients age is 21 (whichever is longer) |
Massachusetts | Adult: 7 yearsMinor: 7 years or till patients age is 18 (whichever is longer) | 30 years post discharge |
Michigan | 7 years | 7 years |
Minnesota | 6 years | Most records must be maintained permanently in microfilm Adult: 7 years Minor: Till patient is 25 years |
Mississippi | 6 years | Adult: 10 years if discharged in sound mental state Minor: Till patient is 25 yearsDeceased: 7 years |
Missouri | 7 years | Adult: 10 years Minor: 10 years or till the patient is 23 years (whichever is longer) |
Montana | 6 years | Adult: 10 years post dischargeMinor (below 19): 10 years post discharge or till patient age is 22 (whichever is longer) |
Nebraska | 6 years | Adult: 7 years post dischargeMinor: 7 years post discharge or till patient age is 19 (whichever is longer) |
Nevada | 5 years | 5 years |
New Hampshire | 7 years unless record is transferred to another physician | Adult: 10 years post discharge Minor: 10 years post discharge or till patient age is 23 (whichever is longer) Discharge sheets for minor and adult: 20 years post discharge |
New Jersey | 7 years | Adult: 10 years post discharge Minor: 10 years post discharge or till patients age is 23 (whichever is longer) Discharge sheets for minor and adult: 20 years post discharge |
New Mexico | Adult: 8 yearsMinor: Till patient is 20 years | Adult: 10 years Minor: Till patient is 19 years |
New York | Adult: 6 yearsMinor: 6 years or till patients age is 19 (whichever is longer) | Adult: 6 years post discharge Minor: 6 years or till the patient’s age is 21 (whichever is longer) Deceased: 6 years |
North Carolina | 6 years | Adult: 11 years post discharge Minor: Till patient is 30 years |
North Dakota | 6 years | Adult: 10 years Minor: 10 years or till the patient’s age is 21 (whichever is longer) |
Ohio | 6 years | 6 years |
Oklahoma | 6 years | Adult: 5 years Minor: Till patient is 21 yearsDeceased: 3 years |
Oregon | 6 years | 10 years post last date of discharge. Master patient index should be maintained permanently. |
Pennsylvania | Adult: 7 yearsMinor: 7 years or till patients age is 22 (whichever is longer) | Adult: 70 years post dischargeMinor: Till patient is 25 years |
Rhode Island | 5 years | Adult: 5 yearsMinor: Till patient is 23 years |
South Carolina | Adult: 10 yearsMinor: 13 years | Adult: 10 yearsMinor: 10 years or till the patient’s age is 19 (whichever is longer) |
South Dakota | When records are inactive and physicians cannot contact the patient record | Adult: 10 years post discharge Minor: 10 years or till the patient’s age is 20 (whichever is longer) |
Tennessee | Adult: 10 yearsMinor: 10 years or till patients age is 22 (whichever is longer) | Adult: 10 years Minor: 10 years or till the patient’s age is 22 (whichever is longer) |
Texas | Adult: 7 years Minor: 7 years or till patients age is 21 (whichever is longer) | Adult: 10 years post discharge Minor: 10 years or till the patient’s age is 20 (whichever is longer) |
Utah | 6 years | Adult: 7 years Minor: 7 years or till the patient’s age is 22 (whichever is longer) |
Vermont | 6 years | 10 years |
Virginia | Adult: 6 years Minor: 6 years or till patient’s age is 18 (whichever is longer) | Adult: 5 years post discharge Minor: Till patient’s age is 23 |
Washington | 6 years | Adult: 10 years post discharge Minor: 10 years post discharge or till the patient’s age is 21 (whichever is longer) |
West Virginia | 6 years | 6 years |
Wisconsin | 5 years | 5 years |
Wyoming | 6 years | 6 years |
What does HIPAA say about document and practice record retention?
HIPAA retention requirements for documents within healthcare organizations is covered in the subsection 164.316 (security and privacy) of Title 45 subtitle A. It states that healthcare service providers should document policies and procedures required to comply with HIPAA requirements. These documents should be maintained for six years (i) from the date of otis creation or (ii) the date when it was last put to effect.
Whichever of the two conditions are later will be considered. For example, if you create a policy and implement it for 2 years, the original copy of the document must be retained for eight years from the date of its creation.
- Designation of privacy officers
- Employee training materials
- All complaints received and their disposition
- Appropriate sanctions against employees on non compliance
- Changes and updates to the privacy policies or procedures of the practice
More considerations on HIPAA data retention
To add to the complexities of running a healthcare business, you may be subject to multiple regulations based on the type of service and data.
For example, the Financial Industry Regulatory Authority (FINRA) is applicable to health insurance companies. The retention period varies based on the record. If no retention period is specified, it should be kept for six years.
Health plans are also subject to ERISA. The Employee Retirement Income Security Act of 1974 requires health plans to retain employee benefit plan record data for six years from the date of filing.
Another regulation, The Centers for Medicare & Medicaid Services (CMS) requires healthcare providers to retain cost reports for five years post its closure.
Easier way to ensure HIPAA data retention
Trying to unravel HIPAA requirements by yourself will quickly put you in a rabbit hole of regulations. Not to mention it is time-consuming, prone to errors, and can land you legal hot soup.
But have no fear, cause Sprinto is here to make your HIPAA data worries disappear. This compliance automation tool has all laws and policies built in. It offers complete protection to data by monitoring for unauthorized access, flagging suspicious activity, and tracks your progress on HIPAA compliance.
Sprinto also enables you to set up role based access control, granular setting, and custom policies so you can always stay compliant. Talk to our experts today.
FAQs
How long must records be kept under HIPAA?
HIPAA requires business associates and covered entities to retain policies, procedures, and changes for six days since its creation or when it was last in effect.
How long must you retain a HIPAA authorization for research?
Covered entities must retain patient authorization for six years after it is signed.