At a busy healthcare organization, your HIPAA compliance documentation can quickly become a tangled mess of papers and binders. You’re probably already frustrated by the sheer volume of files you’ve accumulated. But do you need all of it? When can you get rid of some documents to lighten the load?
This article covers what documentation you need to keep, why you need to keep it, and how long you need to keep it. We’ll also look at how you can keep your documentation organized.
What Documentation Do I Need to Retain to be Compliant with HIPAA?
The HIPAA Privacy Rule (see § 164.530(j)) requires you to maintain the following:
- Policies and procedures
- Communications that require a written/electronic copy
- Any actions, activities, or designations that require written/electronic records
- Current policies and procedures during the retention period
- Notice of Privacy Practices (if applicable)
- Authorizations for disclosing protected health information (PHI)
- Security risk analyses
- Privacy and security incident documentation
- Breach notification documentation
- Employee sanction documentation
- Complaint and resolution documentation
- Business associate agreements
- Physical security maintenance records
- Information systems activity reviews, decisions, and investigations
- Contingency plans and tests
- Records of the acquisition and movement of hardware and electronic media storing ePHI
- IT security system reviews
Why Documenting Compliance Isn’t an Option
Documentation shows that you took actions to comply with the HIPAA privacy and security rules. In the event of an audit, you will have to supply documentation to the Office for Civil Rights (OCR) to demonstrate your compliance. The OCR may ask for many types of documentation, so you must have everything on hand.
Additionally, when you find a security incident is not a HIPAA breach, the burden of proof is on you to show why breach notification wasn’t required in that circumstance—a requirement under the Breach Notification Rule of HIPAA.
How Long Do I Need to Retain HIPAA Compliance Documentation?
First, let’s draw a distinction between “medical records” and “HIPAA records.” For medical records, you have to look to your state law, as HIPAA doesn’t specify how long you have to keep medical records.
Keep your HIPAA-related records for six years from its creation date or the date it was last in effect, whichever is most recent. This helps protect your organization against future allegations. “Therefore if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation.” —HIPAA Journal
When deciding what data to get rid of, make sure you first consider the risk associated with archiving or deleting data. Your risk analysis will help you to determine what information can be disposed of. Read this article to learn more about properly disposing of ePHI.
Also pay attention to your state’s Statute of Limitations, as the retention period for those documents will most likely be longer than HIPAA requires.
How Do I Keep My HIPAA Documentation Organized?
You have both electronic and hard copy documentation to retain—each will require different methods to keep organized.
- Hard copy. Make sure you keep these documents secure and private, especially those that contain PHI. HIPAA requires those sensitive documents to be appropriately safeguarded to prevent unauthorized access and viewing.
- Electronic. You also must keep sensitive electronic documents secure with appropriate technical safeguards. We recommend consolidating electronic documentation into a centralized and organized system. See some examples below:
To learn more about how HIPAAtrek can help you stay on top of your HIPAA requirements, contact us at firstname.lastname@example.org.
For additional information about documenting HIPAA compliance, see this document produced by the Department of Health and Human Services.