HIPAA Documentation Retention Requirements: How Long Covered Entities Must Keep Records

HIPAA Documentation Retention Periods

Under HIPAA, covered entities and business associates must retain required HIPAA compliance documentation for a defined period. The core rule is to keep each required record for six years from the date it was created or the date it last was in effect, whichever is later. This standard applies to Privacy Rule and Security Rule documentation alike.

What counts as HIPAA compliance documentation

• Written policies and procedures, notices of privacy practices, authorizations, sanctions, and complaint records.
• Security policies, risk assessments and risk management plans, incident response records, and contingency plans.
• Business associate agreements (BAAs) and related due diligence records.
• Breach notification records, accounting of disclosures, and audit trails supporting your compliance program.
• Workforce training materials, attendance logs, acknowledgments, and administrative safeguards decisions.

The six-year rule in practice

Apply the “last in effect” test every time you update or replace a document. For example, if you update your privacy policy on April 15, 2025, keep the prior version until at least April 15, 2031. If a BAA terminates on May 10, 2024, retain it and related correspondence until at least May 10, 2030.

Practical scheduling tips

• Version and date-stamp all HIPAA compliance documentation so you can calculate each record’s individual retention end date.
• Automate reminders to review and securely dispose of records that have satisfied retention while preserving those that must remain.
• When litigation holds or investigations apply, suspend destruction for any potentially relevant records.

State Law Retention Requirements

HIPAA sets retention periods for HIPAA compliance documentation, not for clinical medical records themselves. Medical record retention is primarily governed by state law and, in some cases, other federal rules or payer contracts. Many states require providers to keep adult medical records for a defined period (often 5–10 years) and longer for minors.

Follow the most stringent rule that applies to your organization. If state law or another regulator requires you to retain medical records or certain logs longer than HIPAA’s six-year minimum for documentation, adopt the longer schedule. For multi-state operations, implement a master retention schedule that maps requirements by location and record type.

How to operationalize state requirements

• Inventory record types (e.g., EHR entries, imaging, billing, audit trails, HIPAA compliance documentation) and map each to state and federal rules.
• When in doubt, default to the longest applicable retention period to avoid premature destruction.
• Document your rationale so auditors can see how you determined the applicable timeline.

Disposal and Safeguards of PHI

HIPAA requires reasonable and appropriate safeguards when you dispose of protected health information (PHI). Your policies should specify how paper and electronic PHI are destroyed or de-identified and how you control the process end-to-end.

Paper PHI disposal

• Use methods that render PHI unreadable and indecipherable (e.g., cross-cut shredding, pulverizing, or incineration).
• Secure collection bins, restrict access, and supervise transport to the destruction site.
• Obtain certificates of destruction when using a destruction vendor, and confirm obligations in the BAA.

Electronic PHI disposal

• Sanitize media before reuse and securely destroy media that will not be reused (e.g., cryptographic erasure, secure wipe, or physical destruction consistent with device type).
• Track custody of storage devices, manage encryption keys, and log destruction events for audit purposes.
• Address backup media and cloud storage explicitly so PHI remnants are not overlooked.

Administrative safeguards during disposal

• Define roles, approvals, and chain-of-custody steps for PHI destruction.
• Train staff on your procedures and monitor vendors under your business associate agreements (BAAs).
• Retain destruction logs as part of your HIPAA compliance documentation.

Business Associate Agreement Retention

Keep each business associate agreement—and every amendment, addendum, and termination letter—for six years from the date the BAA last was in effect. That means the clock starts when the BAA is superseded or terminated, not when it was originally signed.

What to keep in your BAA file

• Executed BAAs, renewals, amendments, and termination notices.
• Vendor risk assessments, due diligence notes, and service inventories describing PHI flows.
• Evidence of vendor training or safeguards when provided, and certificates of PHI return or destruction at contract end.

Clear BAA retention supports accountability for PHI disclosure, breach response coordination, and verification of ongoing administrative safeguards.

Breach Notification Recordkeeping

Maintain breach notification records for at least six years. This file should prove what you decided, what you did, and when you did it—from risk assessment through notification and remediation.

What to document

• Incident timelines, investigation notes, and the risk assessment showing the probability of compromise.
• Copies of individual notices, substitute notices, press releases (if required), and mailing or email delivery proofs.
• Reports to regulators, submissions to the HHS portal, and communications with business associates.
• Corrective actions, sanctions, and post-incident monitoring results.

Well-structured breach files demonstrate compliance and allow you to respond quickly to audits or patient inquiries.

Risk Assessment Documentation

Your security risk analysis and risk management plan sit at the heart of HIPAA compliance. Document methodology, scope, systems in scope, threats, vulnerabilities, likelihood, impact, and risk ratings, along with selected safeguards and acceptance or mitigation decisions.

Retain each risk assessment and its supporting workpapers for six years from when the assessment (or a given version) was last in effect. Update documentation whenever your environment or threats change—such as new systems, integrations, or workflows—and record why decisions changed over time.

Make the documentation actionable

• Link risks to specific administrative safeguards, technical controls, and implementation timelines.
• Capture exceptions, compensating controls, and approvals so reviewers see the full decision path.
• Align incident response, contingency planning, and audit trails with the risks identified.

Training and Access Log Retention

HIPAA requires workforce training and security awareness; you must keep training records as part of your HIPAA compliance documentation. Retain training curricula, dates, rosters, acknowledgments, and refresher materials for at least six years from when each version was last in effect.

For system access, implement audit controls to generate audit trails that show who accessed ePHI, when, and what they did. While HIPAA does not prescribe a specific log retention period, many organizations align log retention with the six-year documentation standard to support investigations and demonstrate compliance.

Practical guidance

• Define minimum detail (user ID, timestamp, patient or record identifier, action type, source system, and outcome).
• Retain high-fidelity logs long enough to detect and investigate incidents, and archive summaries to satisfy longer retention obligations.
• Test retrieval regularly so you can produce audit trails promptly during audits or investigations.

Conclusion

The safest baseline is simple: keep required HIPAA compliance documentation for six years from creation or last effective date, and follow longer periods when state law or other rules apply. Pair disciplined retention schedules with strong administrative safeguards, secure disposal, and complete audit trails to demonstrate continuous, defensible compliance.

FAQs

How long must covered entities retain HIPAA compliance documentation?

At least six years from the date each document was created or the date it last was in effect, whichever is later. Apply this to policies, procedures, training records, risk assessments, breach files, BAAs, and other required documents.

What retention period applies to business associate agreements?

Retain business associate agreements (BAAs)—including amendments and termination notices—for six years from the date the agreement last was in effect. Keep supporting due diligence and destruction attestations with the same file.

Do state laws override HIPAA retention requirements?

If state law or another governing rule requires a longer retention period for certain records (such as medical records), follow the longer requirement. Use HIPAA’s six-year rule as a floor for HIPAA compliance documentation, not a ceiling.

How should PHI be disposed of to remain compliant?

Use methods that render PHI unreadable and indecipherable. Shred or pulverize paper; securely wipe, sanitize, or physically destroy electronic media. Control the process with documented procedures, chain of custody, and certificates of destruction when using vendors.