California HIPAA Retention Guidelines

HIPAA Security GuideHow Long Must Medical Facilities Keep Records?

Over the years, the Centers for Medicare and Medicaid Services has issued a number of rules about document retention periods, the most recent of which is the HIPAA retention guidelines associated with 1996’s Health Insurance Portability and Accountability Act (HIPAA). HIPAA updates have created specifics for how long health records must be retained. Many records must be kept for at least six years and records related to Medicare managed care clients must be kept for at least ten years.

HIPAA Retention Guidelines and State Laws

HIPAA guidelines trump state laws if state laws require a retention time period that is less than that required by the federal law. Providers in states that have document retention rules that exceed HIPAA minimums should comply with the greater retention timeline. The California Medical Association offers a link to a detailed guide regarding the retention of medical records in the state as well as access to a number of professional and compliance resources that are helpful for medical practices that want to remain compliant with both federal and state law.

Destroy Documents After Retention Periods

HIPAA retention guidelines also cover the destruction of documents following the end of a required retention period. To save space and money, providers usually cull their files on a regular basis. Yet you can’t simply throw away documents that contain sensitive patient information. A HIPAA-compliant shredding vendor that offers secure onsite shredding or pickup or drop off shredding services is one of the best ways to ensure your practice is compliant with HIPAA document destruction guidelines. Just make sure you’ve reviewed state and federal HIPAA retention guidelines before you ditch your documents.

How do you make sure your medical office is following HIPAA retention guidelines?