HIPAA Retention Requirements: What You Need to Know

August 5, 2024

When it comes to healthcare compliance, keeping the right records for the right amount of time is crucial. The HIPAA retention requirements state that certain documents must be kept for at least six years, either from the date they were created or the last date they were in effect.

It’s important not to confuse these federal requirements with state laws about medical record retention. HIPAA’s rules focus more on administrative documentation than on clinical patient records.

Within the Administrative Simplification provisions of HIPAA, you’ll find multiple references to data retention. These fall into two main categories: HIPAA medical records retention and HIPAA documentation retention. This guide breaks them down so you know exactly what you’re responsible for—and how long you need to hold on.

What Are HIPAA Retention Requirements?

If you work in healthcare or insurance, you’re expected to hang onto certain documents—and not just for a little while. HIPAA retention requirements say you need to keep specific records for six years, either from when they were created or from the last time they were in effect.

This doesn’t only apply to patient medical records. It also includes things like privacy policy updates, written communications, and documentation tied to how you handle Protected Health Information (PHI).

Why does it matter? Keeping these documents on file helps ensure that patient data is available if needed—and that privacy rules were followed along the way.

To stay compliant, organizations need to use secure storage, have clear data management policies, and run regular audits. Skipping these steps can lead to fines or legal trouble. At its core, this rule is about protecting patient privacy and proving your organization is following HIPAA compliance guidelines.

Why Doesn’t HIPAA Set Record Retention Periods?

It might surprise some people, but HIPAA—for all its strict privacy rules—doesn’t actually set a minimum time frame for how long medical records must be kept. Here’s why:

• State Laws Already Set the Rules
  Medical record retention is mostly handled at the state level, and every state has its own set of rules. Rather than creating conflict, HIPAA defers to state regulations—meaning healthcare providers must follow whichever rule is stricter. 

1. HIPAA’s Focus Is on Privacy, Not Duration
   HIPAA is designed to protect the privacy and security of Protected Health Information (PHI). The law is more concerned with how data is stored and shared, not how long it sticks around. As long as PHI is retained, it must be protected—but the retention timeline is left to other laws. 
2. Flexibility for Different Healthcare Entities
   Hospitals, insurers, and clinics all operate differently. HIPAA’s approach gives these organizations the flexibility to create retention schedules that align with their business practices—as long as they’re still following applicable federal and state requirements. 
3. Other Laws Fill the Gaps
   While HIPAA doesn’t dictate how long records must be kept, other federal rules often do. For example, Medicare or tax-related regulations might require certain records to be stored for specific time periods. So in practice, HIPAA’s lack of a retention rule isn’t a loophole—it’s intentional.

🔗 Read More: What is Considered Protected Health Information Under HIPAA?

What Is the Record Retention Period Under HIPAA?

While HIPAA doesn’t specify how long medical records must be kept, it does lay out clear retention requirements for certain types of documentation related to HIPAA compliance. Most of these must be retained for at least six years—from the date they were created or last in effect.

Here’s what covered entities and business associates need to know:

1. General Documentation
   HIPAA requires healthcare organizations and business associates to retain any documents related to compliance efforts for a minimum of six years. This includes internal policies, procedures, and any actions taken to meet HIPAA standards. 
2. Privacy Rule Requirements
   All materials tied to the HIPAA Privacy Rule—such as privacy notices, authorizations, patient consents, and records of disclosures—must be kept for six years. The retention clock starts from either the date the document was created or when it was last active. 
3. Security Rule Documentation
   Under the HIPAA Security Rule, covered entities must retain documentation related to their security practices, including risk assessments, audits, and incident response reports. These, too, must be retained for at least six years. 
4. Breach Notification Records
   Any documents tied to data breaches—such as breach notification letters and response actions—must also be retained for six years. This ensures you can demonstrate compliance in case of future investigations or audits. 
5. State Law May Require More
   Some state laws require longer medical record retention than HIPAA. In those cases, the stricter rule applies. Organizations must be aware of both federal and state retention laws and follow whichever one demands more. 
6. Best Practices for Compliance
   To meet HIPAA retention requirements, organizations should develop clear record-keeping policies, conduct regular audits, and use secure storage solutions. Accessible, well-organized documentation is key to maintaining HIPAA compliance—and avoiding fines or legal trouble down the road.

What Are the Other HIPAA Retention Requirements?

While HIPAA doesn’t set a retention period for medical records themselves, it does establish rules for how long other HIPAA-related documents must be kept on file. These requirements are found in 45 CFR 164.316 (Security Rule) and 45 CFR 164.530 (Privacy Rule), and they apply to covered entities and business associates alike.

In general, these HIPAA retention requirements state that relevant documentation must be retained for at least six years from the date it was created—or from the last time it was in effect, whichever is later.

Here’s an example: if you use a privacy policy for three years and then update it, the original version must still be kept for nine years total—six years after it was replaced.

And here’s something important to remember: if a state law requires a shorter retention period than HIPAA does, HIPAA’s standard takes priority.

Common Documents You Must Retain Under HIPAA

• Notices of Privacy Practices
• Risk assessments and security risk analyses
• Documentation of security incidents and breach responses
• Logs that show access to and updates of Protected Health Information (PHI)
• IT system audits and security reviews
• Authorizations for disclosing PHI to third parties 

These documents are critical not just for compliance, but also for demonstrating your organization’s commitment to HIPAA compliance in the event of an audit or investigation.

🔗 Read More: Most Common HIPAA Violations You Should Avoid

Conclusion

Understanding and following HIPAA retention requirements is a key part of protecting Protected Health Information (PHI) and staying compliant with both federal and state regulations.

While HIPAA doesn’t set a required retention period for medical records themselves, it does mandate that documentation related to privacy policies, security practices, and breach notifications be kept for at least six years. This documentation supports internal audits, protects organizations from legal risk, and shows clear evidence of HIPAA compliance.

By maintaining proper records and reviewing them regularly, healthcare providers and their partners can stay prepared, avoid penalties, and most importantly—safeguard patient trust.