Risk managers and compliance officers for HIPAA-covered entities might be uncertain about what the privacy law requires regarding records retention because medical records, HIPAA records, federal laws, and state laws become entangled. Clarity on HIPAA records retention might relieve some burden so that covered entities are not doing more than necessary just to ensure compliance. The HIPAA Privacy Rule does not include medical record retention requirements, notes Meenakshi Datta, JD, partner with Sidley Austin in Chicago. Rather, it requires covered entities and business associates to maintain records required by their policies and procedures, such as audit logs and accounting of disclosures of protected health information (PHI), for six years from the date of its creation or the date when it last was in effect, whichever is later.

“In other words, HIPAA requires retention of programmatic HIPAA compliance documentation,” Datta says. “It has nothing to do with the retention of PHI itself.”

Datta advises covered entities to evaluate the applicable federal and state requirements and develop a matrix. The matrix will include federal medical record retention requirements, as applicable, such as those for clinical laboratories as established by Clinical Laboratory Improvement Amendments of 1988, state medical record retention requirements, HIPAA compliance program record retention requirements, other federal laws that might impose document retention requirements, and risk management and medical malpractice liability considerations.

Whether a covered entity should go beyond what is required by HIPAA depends on the situation, although Datta does not necessarily advise it.

“If there are open inquiries into breaches or potential security incidents relating to a covered entity’s HIPAA program or response to a prior PHI incident, there may be good reason to impose a document hold on relevant documentation,” she says. “However, in the normal course, it is also important for organizations to be able to rely on their document destruction policies to avoid a scattershot approach resulting in timed-out documents physically or virtually piling up.”

No Seven-Year Requirement

There is a widely perceived notion that HIPAA requires the retention of medical records for seven years, which is untrue, says Christina Steiner, JD, director with Alvarez & Marsal in New York City. “HIPAA requires the retention of HIPAA-related documents, but there is a distinction for electronic PHI. Because of the way it is written, some consulting agencies have interpreted that to mean that electronic PHI is included in that requirement,” Steiner says. “There is some vague writing there, but it only applies to security-related documents and not electronic PHI.”

State laws include their own language regarding medical records retention, and they can vary widely, Steiner notes. State laws also may not define medical records the same as federal law, so there can be confusion as how a covered entity should set its policies.

The seven-year rule can be used as a way to ensure compliance by doing more than is usually required and to simplify the rules within a single organization.

“HIPAA does not in any way, shape, or form say how long you have to house medical records, but it does say you have to have policy on medical records retention. Most state laws say six or seven years, but some have no requirement. Some covered entities choose to maintain their HIPAA records for seven years as a way to be consistent and have just one rule that applies to both medical records and HIPAA security records,” Steiner says. “That effort to have one rule across the board leads to the idea that HIPAA requires the retention of medical records for a certain period, which it does not.”

Another wrinkle is some covered entities include the HIPAA authorization document in the patient’s medical record, rather than a separate file, she notes.

“What they’ve done then is to create an obligation for the six- or seven-year retention of that medical record because that’s where they house the authorization,” Steiner observes. “A better practice is to put the authorization in another file rather than it being a part of the medical record. If you don’t want to retain the medical record for that period because your state law allows a lesser time frame, you’re in a bind because you have a HIPAA authorization in there that has to be retained longer.”

Other State Laws Might Apply

Covered entities with facilities in more than one state must be aware of the different state laws regarding records retention, says Kerry Cahill, JD, an attorney with Lindabury, McCormick, Estabrook & Cooper in Westfield, NJ.

“The covered entity has to understand who is subject to HIPAA. The entity can enter into contracts with other providers, health plans, insurance companies, health clearinghouses, as well as their business associates and subcontractors,” Cahill says. “With all of these different groups, the covered entity has to identify who is subject to HIPAA. Many covered entities are contracting with electronic patient health information systems. The covered entities have to understand what records are held by all of these organizations, their legal requirements to one another, and how that affects their retention policies.”

A common mistake is for healthcare organizations to focus only on HIPAA when considering privacy and records retention, says Mark R. Ustin, JD, partner with Farrell Fritz in Albany, NY. While it is true HIPAA does not specify how long medical records should be retained, a covered entity should not assume the federal law is the final word on the matter, he says.

“HIPAA itself says that if a state’s law is more restrictive, then that state law applies. That includes things like medical records retention requirements,” Ustin says.

The HIPAA Notice of Privacy Practices should include a policy on the retention of medical records, Ustin says. Also, there should be a policy for expunging records over time, including how the decision is made to destroy records.

“The most obvious decision to make is how long you want to keep those records, and that is going to vary by the type of record, the type of entity, and applicable state laws,” Ustin says. “Where possible, default to the longest minimum period required by law. Having a single period is better than having to make a decision on a record-by-record basis, trying to determine if this a record of type A or type B and which retention period applies.”

Train Employees on Policy

The covered entity also should consider the statute of limitations in the state to ensure records are available in the event of a lawsuit, Ustin notes.

“Make sure you have the policies on file and incorporate this into the larger mandatory HIPAA training that you do on an annual basis to make sure your employees have a full understanding of what you’ve decided to do as policy,” Ustin says. “It’s very easy to go wrong with this because, instinctively, you might think the larger organizations will be better at this, but that’s not always true. The bigger an organization is, the more complicated it is, the more likely it is that something is going to fall through the cracks.”

Small and large organizations need the same basic policies and protocols, with the same baseline attention to detail, Ustin says.

Consult Applicable HIPAA Sections

For non-medical records, covered entities should consult the HIPAA requirements regarding the length of time HIPAA-related non-medical records should be retained, says Tom Garrubba, vice president of Shared Assessments, a group in Santa Fe, NM, that helps organizations develop best practices, education, and tools to drive third-party risk assurance.

He says two sections under HIPAA should be noted:

  • Section 164.316(b)(1) states organizations “(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity, or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”
  • Section 164.316(b)(2)(i) notes the required documentation must be retained for six years from the date of its creation, or the date when it last was in effect, whichever is later. For example, if a policy is implemented for a year before being revised, a record of the original policy must be retained for at least seven years.

Examples of non-medical records include (but are not limited to): the covered entity’s policies, standards, and procedures; risk analyses; business associate agreements; breach notification documentation; contingency and disaster recovery plans; log records for viewing PHI; audits of IT systems; and physical security maintenance and update records.

“It’s important to understand the distinction between medical and HIPAA-related non-medical records. The rule of thumb here is: The states set the law for medical records, while HIPAA-related non-medical documents require a minimum retention of six years,” Garrubba says. “Additionally, trying to steer your way through these channels can be very risky, so ensure that you’re working with your privacy and legal counsel for additional guidance.”


  • Kerry Cahill, JD, Attorney, Lindabury, McCormick, Estabrook & Cooper, Westfield, NJ. Phone: (908) 233-6800. Email: kcahill@lindabury.com.
  • Meenakshi Datta, JD, Partner, Sidley Austin, Chicago. Phone: (312) 853-7169. Email: mdatta@sidley.com.
  • Tom Garrubba, Vice President, Shared Assessments, Santa Fe, NM. Phone: (505) 466-6434.
  • Christina Steiner, JD, Director, Alvarez & Marsal, New York City. Phone: (908) 572-9222. Email: csteiner@alvarezandmarsal.com.
  • Mark R. Ustin, JD, Partner, Farrell Fritz, Albany, NY. Phone: (518) 313-1403. Email: mustin@farrellfritz.com.