Covered Entity Checklist: HIPAA Documentation You Must Keep for Six Years

HIPAA Documentation Retention Requirements

HIPAA requires you to retain all documentation mandated by the Privacy, Security, and Breach Notification Rules for at least six years. The countdown runs from the date the item was created or the date it last was in effect—whichever is later. This six-year rule covers policies, procedures, attestations, acknowledgments, logs, and evidence that show how you comply.

Keep the focus on records that demonstrate how you safeguard Protected Health Information (PHI) and how you trained staff, managed incidents, and enforced policies. Medical charts have different rules (addressed below). Here, your goal is proof of compliance over time.

What counts as HIPAA documentation

• Written policies and procedures for the Privacy, Security, and Breach Notification Rules, including Administrative Safeguards and Technical Safeguards.
• Risk Assessments and risk management plans, plus periodic reviews and updates.
• Business Associate Agreements (BAAs) and vendor due‑diligence records.
• Notices of Privacy Practices (NPPs), versions issued, and patient acknowledgments or good‑faith efforts to obtain them.
• PHI Disclosure Authorizations, requests for access, amendments, restrictions, confidential communications, and your responses.
• Accounting of disclosures logs and related correspondence.
• Workforce training content, rosters, competency checks, and sanctions for violations.
• Security incident reports, investigations, and corrective actions.
• Breach risk assessments, notification letters, submission confirmations, and mitigation documentation.
• Device and media control forms, facility access records, and information system activity review summaries.

How to set the clock correctly

• Policies and procedures: retain six years after the policy or any revision was last in effect.
• BAAs: retain six years after the agreement was terminated or replaced.
• NPPs and acknowledgments: retain six years after the NPP version was last used.
• Training, complaints, sanctions, incidents, and breaches: retain six years after the event or resolution.
• Authorizations and disclosure accountings: retain six years after creation or last use.

Don’t confuse HIPAA documentation with medical records

HIPAA’s six‑year rule applies to compliance documentation, not to how long you keep patient medical records. Clinical record retention is primarily governed by state law, licensing boards, and payer rules. When in doubt, keep HIPAA documentation for the full six years and apply a separate schedule to medical records.

State Law Precedence on Record Retention

HIPAA sets a federal “floor.” If a state law is more stringent—such as requiring longer retention to protect privacy or granting greater patient rights—you must follow the state rule. In practice, you comply with HIPAA’s six‑year minimum for HIPAA documentation and apply any longer state requirement that covers the same or related records.

For medical records specifically, state statutes and professional boards typically dictate retention periods. Payer contracts (for example, Medicare or commercial plans) and malpractice considerations can also extend how long you must keep certain records. Always document the basis for the period you choose.

How to apply preemption in practice

• Identify the record type (HIPAA documentation vs. medical record vs. business record).
• Locate the relevant state, federal, and contractual requirements.
• Apply the most protective or longest applicable period and record your rationale.
• Review annually and when laws, contracts, or operations change.

Common areas where state rules are stricter

• Retention for minors (often until the age of majority plus a fixed number of years).
• Mental health, oncology, and imaging records.
• Statutes of limitation for malpractice or consumer protection claims.

Examples of Required HIPAA Documents

Privacy Rule documentation

• Privacy policies and procedures, minimum necessary standards, role‑based access rules.
• Notices of Privacy Practices and patient acknowledgments or documentation of good‑faith efforts.
• PHI Disclosure Authorizations (including marketing, research, and sale of PHI where applicable).
• Requests for access, amendments, restrictions, confidential communications, and your determinations.
• Accounting of disclosures logs and process documentation.
• Complaint investigations, outcomes, and workforce sanctions.

Security Rule documentation

• Risk Assessments, risk treatment plans, and periodic evaluations.
• Administrative Safeguards: security management process, workforce security, information access management, security awareness training, and incident response procedures.
• Technical Safeguards: access controls, audit controls, integrity protections, authentication, and transmission security decisions.
• Physical safeguards and facilities documentation: facility access controls, device and media controls, and backup/contingency planning records.
• Information system activity review results and follow‑up actions.

Breach Notification documentation

• Incident and breach assessments, risk‑of‑harm analyses, and determination memos.
• Notifications to individuals, substitute notice evidence, and timing validation.
• Reports to regulators and the media when required, plus remediation proofs.

Cross‑cutting agreements and evidence

• Business Associate Agreements and vendor security assurances.
• Due‑diligence questionnaires, SOC/independent reports, and onboarding/offboarding checklists.
• Internal audits, management reviews, and corrective action plans.

Guidelines for Medical Record Retention

Medical records contain Protected Health Information and follow state‑driven rules. Establish a schedule that reflects adult, pediatric, specialty, and imaging records, as well as statutes of limitation and payer requirements. HIPAA allows you to retain PHI as long as needed for care, operations, or legal obligations; it does not impose a universal clinical retention period.

Planning principles

• Inventory record types (EHR data, images, billing, device data, messages) and define authoritative systems.
• Set retention “triggers” (last encounter, discharge, device retirement, contract end) and align backups and archives.
• For minors, retain until the age of majority plus the state‑required period.
• Maintain readability, integrity, and retrievability for the full retention period, including metadata and audit trails.
• Account for specialized records (behavioral health, reproductive health, research) that may have added protections.

Documentation and governance

• Publish a retention schedule, cite legal and contractual bases, and train staff.
• Apply holds for audits, investigations, or litigation; suspend destruction until the hold is released.
• Periodically validate that archives open correctly and remain intact after system upgrades or migrations.

Safeguards for Records Disposal

Secure disposal is a compliance requirement. You must protect PHI through the entire lifecycle, including destruction. Match the method to the medium, document every step, and ensure vendors are bound by Business Associate Agreements.

Administrative Safeguards

• Adopt a written disposal policy covering paper, media, devices, and cloud repositories.
• Use destruction requests and approvals, keep chain‑of‑custody, and maintain certificates of destruction.
• Train staff; prohibit use of regular trash or recycling for PHI; supervise collection in locked containers.
• Apply and document litigation/regulatory holds before any destruction.

Technical Safeguards

• For ePHI, use secure wipe, cryptographic erasure, or physical destruction suited to the media.
• Revoke access, remove from directories, and rotate keys before device redeployment or retirement.
• Align backup retention with the schedule and document purge jobs and verification checks.

Physical measures

• Cross‑cut shred, pulverize, pulp, or incinerate paper to render PHI unreadable.
• Store to‑be‑destroyed materials in locked areas; supervise transport with chain‑of‑custody logs.
• Verify vendor processes onsite when feasible and record spot checks.

Compliance Strategies for State and Federal Laws

Integrate HIPAA’s six‑year documentation rule with state and contractual requirements through a unified retention program. Build a defensible schedule, map each record type to an authority, and keep evidence that you followed the rules.

Program steps

• Create a retention matrix listing record types, owners, triggers, and required periods (HIPAA, state, payer).
• Assign accountable owners for Privacy, Security, Legal, and IT; coordinate reviews after Risk Assessments and audits.
• Automate retention and destruction where possible; log exceptions and holds.
• Test disposal processes annually and after system changes; remediate gaps promptly.
• Monitor legal changes; update policies, Business Associate Agreements, and staff training.

Checklist—keep these for six years (minimum)

• All HIPAA policies and procedures (Privacy, Security, Breach Notification).
• Risk Assessments and risk management plans.
• Business Associate Agreements and vendor due‑diligence evidence.
• Notices of Privacy Practices and patient acknowledgments.
• PHI Disclosure Authorizations and accounting of disclosures.
• Training materials, attendance, competency results, and sanctions.
• Incident and breach investigations, notifications, and mitigation records.
• Access, facility, device/media, and audit activity review documentation.

Conclusion

Use HIPAA’s six‑year rule as your floor for compliance documentation, then layer on state and contractual requirements—especially for medical records. A clear schedule, disciplined documentation, and secure disposal close the loop and demonstrate ongoing protection of Protected Health Information.

FAQs

How long must covered entities retain HIPAA documentation?

You must retain HIPAA documentation for at least six years from the date it was created or the date it was last in effect, whichever is later. This includes privacy, security, and breach‑related records, plus supporting evidence such as training, investigations, and acknowledgments. If other laws or contracts require longer, follow the longer period.

What types of HIPAA records are required to be kept?

Required records include policies and procedures; Risk Assessments and risk treatment plans; Business Associate Agreements; Notices of Privacy Practices and acknowledgments; PHI Disclosure Authorizations; requests and responses for access, amendment, and restrictions; accounting of disclosures; workforce training, complaints, and sanctions; security incident and breach documentation; and logs supporting Administrative Safeguards and Technical Safeguards.

Which record retention law takes precedence, federal or state?

HIPAA preempts conflicting state law unless the state rule is more stringent for privacy or grants greater patient rights. In practice, keep HIPAA documentation for six years at minimum and apply longer state requirements when they provide stronger protection or specify longer retention for the same records. For medical records, state law generally controls.

How should covered entities dispose of HIPAA records securely?

Use methods that render PHI unreadable and irrecoverable. For paper, cross‑cut shredding, pulping, or incineration; for ePHI, secure wipe or cryptographic erasure matched to the media. Apply Administrative Safeguards (policies, approvals, chain‑of‑custody) and Technical Safeguards (access revocation, verified sanitization), maintain destruction logs, and use vendors under Business Associate Agreements.