A Quick Guide to HIPAA Data Retention [State-Wise Laws]

Anwita

Anwita

Jan 22, 2024

HIPAA data retention

Health care services that are privy to protected health information (PHI) and facility policies are legally bound to retain it in the original format throughout its lifecycle. HIPAA offers guidelines for retaining it but is often confusing and difficult to decipher. Nevertheless, HIPAA data retention laws are not to be neglected as non compliance can prove to be a costly affair. 

But worry not, we untangle the regulatory knots and break down the requirements. This article helps you understand what HIPAA data retention means, the laws around it, and how to approach it. 

What is HIPAA data retention?

HIPAA data retention is the period till which healthcare service providers can keep medical record data (PHI) and records of the practice in their database. There is no fixed retention period for PHI but the privacy rule does establish for how long other practice records should be retained. 

HIPAA data retention regulations are applicable to business associates (BA) and covered entities (CE). This includes data in any format; electronic, paper, microfil, DVD, images, X-ray, and more.

HIPAA data retention requirements for medical records (state wise)

Medical record refers to data related to healthcare related information that a medical practitioner uses to offer healthcare services and make treatment related decisions. This includes medical history, billing data, test result, clinical diagnosis records, and other official documents protected by HIPAA privacy and security laws. 

As outlined above, the privacy rule of HIPAA does specify an expiry date for patient health records. This is because the retention limit is not consistent – each state has their own schedule on how long CEs and BAs should maintain medical records. The retention limit depends on factors like the type of service provider, age of the patient, type of record, and condition of the subject at the time of discharge. 

Additionally, HIPAA provides patients the right to access their medical data or request to edit it. 

The table below illustrates how long PHI must be retained in each state from the time of its creation. 

State Medical practiceHospital 
AlabamaAs long as required for treatment and legal purposes5 years
Alaska6 yearsAdult: 7 years after dischargeMinor: 7 years after discharge or till patient’s age is 21 (whichever is longer)
ArizonaAdult: 6 years from date of service
Minor: 6 years from date of service of till patient’s age is 21 (whichever is longer)
Adult: 6 years from date of serviceMinor: 6 years from date of service of till patient’s age is 21 (whichever is longer)
Arkansas6 yearsAdult: 20 years post last discharge.
Master patient index to be retained permanently.
Minor: Full medical record to be retained till the patient is 20 years.
California6 yearsAdult: 7 years post dischargeMinor: Till patient is 28 years 
Colorado6 yearsAdult: 10 years post last discharge Minor: Till patient is 28 years
ConnecticutAdult: 7 years since last treatment date
Minor: 3 years post death
10 years post last discharge 
Delaware7 years since last entry 6 years
D.C.Adult: 3 years since last visit
Minor: 3 years since last visit or till patient is 21 years (whichever is longer)
10 years post discharge
Florida5 years since last contact 7 years post last record entry 
Georgia10 years from the date of last entryAdult: 5 years post dischargeMinor: Till patient is 23 years
HawaiiAdult: Full records till 7 years of last entry and basic data for 25 years after last entry
Minor: Full medical records till patient is 25 years and basic data till patient is 43 years (or 25 years after they turn 18)
Adult: Full records till 7 years of last entry and basic data for 25 years after last entry
Minor: Full medical records till the patient is 25 years and basic data till the patient is 43 years (or 25 years after they turn 18)
Idaho6 years5 years post lab test and records
Illinois6 years10 years
Indiana7 years7 years
IowaAdult: 7 years last date of serviceMinor: Till patient is 18 years old6 years
Kansas10 years Adult: 10 years post last discharge (full records)
Minor: 10 years post last discharge or till the patient is 19 years (whichever is longer)
Summary of destroyed records for both: 25 years
Kentucky6 yearsAdult: 5 years after dischargeMinor: 5 years post discharge or till patients age is 21 (whichever is longer)
Louisiana6 years10 years post discharge
Maine6 yearsAdult: 7 yearsMinor: Till patient is 24 years.
Patient logs and X ray results on papers are to be maintained permanently 
MarylandAdult: 5 yearsMinor: 5 years or till patients age is 21 (whichever is longer)Adult: 5 yearsMinor: 5 years or till patients age is 21 (whichever is longer)
MassachusettsAdult: 7 yearsMinor: 7 years or till patients age is 18 (whichever is longer)30 years post discharge
Michigan7 years7 years
Minnesota6 yearsMost records must be maintained permanently in microfilm 
Adult: 7 years
Minor: Till patient is 25 years
Mississippi6 yearsAdult: 10 years if discharged in sound mental state 
Minor: Till patient is 25 yearsDeceased: 7 years
Missouri7 yearsAdult: 10  years 
Minor: 10 years or till the patient is 23 years (whichever is longer)
Montana6 yearsAdult: Full medical records for 10 yearsMinor: Full medical record till the patient is 28 yearsCore medical records must be maintained for 10 years beyond the stated period above
Nebraska6 yearsAdult: 10 years post dischargeMinor (below 19): 10 years post discharge or till patients age is 22 (whichever is longer)
Nevada5 years5 years
New Hampshire7 years unless record is transferred to another physician Adult: 7 years post dischargeMinor: 7 years post discharge or till patients age is 19 (whichever is longer)
New Jersey7 yearsAdult: 10 years post discharge
Minor: 10 years post discharge or till patients age is 23 (whichever is longer)
Discharge sheets for minor and adult: 20 years post discharge
New MexicoAdult: 8 yearsMinor: Till patient is 20 yearsAdult: 10 years Minor: Till patient is 19 years
New YorkAdult: 6 yearsMinor: 6 years or till patients age is 19 (whichever is longer)Adult: 6 years post discharge
Minor:  6 years or till the patient’s age is 21 (whichever is longer)
Deceased: 6 years
North Carolina6 yearsAdult: 11 years post discharge
Minor: Till patient is 30 years
North Dakota6 yearsAdult: 10 years
Minor: 10 years or till the patient’s age is 21 (whichever is longer)
Ohio6 years6 years 
Oklahoma6 yearsAdult: 5 years
Minor: Till patient is 21 yearsDeceased: 3 years
Oregon6 years10 years post last date of discharge.
Master patient index should be maintained permanently. 
PennsylvaniaAdult: 7 yearsMinor: 7 years or till patients age is 22 (whichever is longer)Adult: 70 years post dischargeMinor: Till patient is 25 years
Rhode Island5 yearsAdult: 5 yearsMinor: Till patient is 23 years
South CarolinaAdult: 10 yearsMinor: 13 yearsAdult: 10 yearsMinor: 10 years or till the patient’s age is 19 (whichever is longer)
South DakotaWhen records are inactive and physicians cannot contact the patient recordAdult: 10 years post discharge
Minor: 10 years or till the patient’s age is 20 (whichever is longer)
TennesseeAdult: 10 yearsMinor: 10 years or till patients age is 22 (whichever is longer)Adult: 10 years
Minor: 10 years or till the patient’s age is 22 (whichever is longer)
TexasAdult: 7 years Minor: 7 years or till patients age is 21 (whichever is longer)Adult: 10 years post discharge
Minor: 10 years or till the patient’s age is 20 (whichever is longer)
Utah6 yearsAdult: 7 years
Minor: 7 years or till the patient’s age is 22 (whichever is longer)
Vermont6 years10 years
VirginiaAdult: 6 years Minor: 6 years or till patient’s age is 18 (whichever is longer)Adult: 5 years post discharge
Minor: Till patient’s age is 23
Washington6 yearsAdult: 10 years post discharge 
Minor: 10 years post discharge or till the patient’s age is 21 (whichever is longer)
West Virginia6 years6 years
Wisconsin5 years 5 years 
Wyoming6 years6 years

What does HIPAA say about document and practice record retention?

HIPAA retention requirements for documents within healthcare organizations is covered in the subsection 164.316 (security and privacy) of Title 45 subtitle A. It states that healthcare service providers should document policies and procedures required to comply with HIPAA requirements. These documents should be maintained for six years (i) from the date of otis creation or (ii) the date when it was last put to effect.

Whichever of the two conditions are later will be considered. For example, if you create a policy and implement it for 2 years, the original copy of the document must be retained for eight years from the date of its creation. 

  • Designation of privacy officers
  • Employee training materials
  • All complaints received and their disposition
  • Appropriate sanctions against employees on non compliance
  • Changes and updates to the privacy policies or procedures of the practice

More considerations on HIPAA data retention

To add to the complexities of running a healthcare business, you may be subject to multiple regulations based on the type of service and data. 

For example, the Financial Industry Regulatory Authority (FINRA) is applicable to health insurance companies. The retention period varies based on the record. If no retention period is specified, it should be kept for six years. 

Health plans are also subject to ERISA. The Employee Retirement Income Security Act of 1974 requires health plans to retain employee benefit plan record data for six years from the date of filing. 

Another regulation, The Centers for Medicare & Medicaid Services (CMS) requires healthcare providers to retain cost reports for five years post its closure.

Easier way to ensure HIPAA data retention

Trying to unravel HIPAA requirements by yourself will quickly put you in a rabbit hole of regulations. Not to mention it is time-consuming, prone to errors, and can land you legal hot soup. 

But have no fear, cause Sprinto is here to make your HIPAA data worries disappear. This compliance automation tool has all laws and policies built in. It offers complete protection to data by monitoring for unauthorized access, flagging suspicious activity, and tracks your progress on HIPAA compliance. 

Sprinto also enables you to set up role based access control, granular setting, and custom policies so you can always stay compliant. Talk to our experts today.

FAQs

How long must records be kept under HIPAA?

HIPAA requires business associates and covered entities to retain policies, procedures, and changes for six days since its creation or when it was last in effect. 

How long must you retain a HIPAA authorization for research?

Covered entities must retain patient authorization for six years after it is signed.

Anwita

Anwita

Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.