What HIPAA Compliance Documentation Do You Need to Keep?


At a busy healthcare organization, your HIPAA compliance documentation can quickly become a tangled mess of papers and binders. You’re probably already frustrated by the sheer volume of files you’ve accumulated. But do you need all of it? When can you get rid of some documents to lighten the load?

This article covers what documentation you need to keep, why you need to keep it, and how long you need to keep it. We’ll also look at how you can keep your documentation organized.

What Documentation Do I Need to Retain to be Compliant with HIPAA?

The HIPAA Privacy Rule (see § 164.530(j)) requires you to maintain the following:

  1. Policies and procedures
  2. Communications that require a written/electronic copy
  3. Any actions, activities, or designations that require written/electronic records

According Rob Pierce of Linford & Co. and HIPAA Journal, items/activities that need to be documented include, but are not limited to:

It is also wise to retain any documents related to a personal injury or breach of contract dispute.

Why Documenting Compliance Isn’t an Option

Documentation shows that you took actions to comply with the HIPAA privacy and security rules. In the event of an audit, you will have to supply documentation to the Office for Civil Rights (OCR) to demonstrate your compliance. The OCR may ask for many types of documentation, so you must have everything on hand.

Additionally, when you find a security incident is not a HIPAA breach, the burden of proof is on you to show why breach notification wasn’t required in that circumstance—a requirement under the Breach Notification Rule of HIPAA.

How Long Do I Need to Retain HIPAA Compliance Documentation?

First, let’s draw a distinction between “medical records” and “HIPAA records.” For medical records, you have to look to your state law, as HIPAA doesn’t specify how long you have to keep medical records.

Keep your HIPAA-related records for six years from its creation date or the date it was last in effect, whichever is most recent. This helps protect your organization against future allegations. “Therefore if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation.” —HIPAA Journal

When deciding what data to get rid of, make sure you first consider the risk associated with archiving or deleting data. Your risk analysis will help you to determine what information can be disposed of. Read this article to learn more about properly disposing of ePHI.

Also pay attention to your state’s Statute of Limitations, as the retention period for those documents will most likely be longer than HIPAA requires.

How Do I Keep My HIPAA Documentation Organized?

You have both electronic and hard copy documentation to retain—each will require different methods to keep organized.

  • Hard copy. Make sure you keep these documents secure and private, especially those that contain PHI. HIPAA requires those sensitive documents to be appropriately safeguarded to prevent unauthorized access and viewing.
  • Electronic. You also must keep sensitive electronic documents secure with appropriate technical safeguards. We recommend consolidating electronic documentation into a centralized and organized system.
Being Prepared For Investigations

Are you prepared for a potential investigation?

Don’t wait until the Office of Civil Rights (OCR) comes knocking. Use this checklist to prepare now for potential investigations and find the confidence that comes from knowing you can prove compliance.

To learn more about how HIPAAtrek can help you stay on top of your HIPAA requirements, contact us at support@hipaatrek.com.

For additional information about documenting HIPAA compliance, see this document produced by the Department of Health and Human Services.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like