The HIPAA Privacy Rule does not stipulate how long medical records should be retained because there is no HIPAA medical records retention period. Each individual State dictates the requirement of what healthcare organizations must follow when it comes to medical record retention. HIPAA always supersedes State laws unless the State law is stricter/more stringent than HIPAA is. In the case of medical record retention, the State rules. However, the HIPAA Administrative Simplification Rules require a Covered Entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if State laws require shorter periods. Your State may require a longer retention period. The HIPAA requirements are available at 45 CFR 164.316(b)(2).

Most important to keep in mind is to NOT retain medical records longer than necessary. Storing years of old medical records is only adding another vulnerability to the organization, and depending on where the records are stored, adding another out-of-pocket monthly payment for storage.

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!