HIPAA Record-Keeping Requirements: What to Keep, How Long, and Compliance Checklist

Documentation Retention Period

HIPAA requires you to retain required compliance documentation for a minimum of six years. The six-year clock runs from the date each document was created or the date it last was in effect, whichever is later. Keep superseded versions to demonstrate your change history and decision-making over time.

HIPAA’s six-year rule applies to compliance documentation, not to clinical or billing records themselves. Medical record retention is set by state law and other programs (for example, payer and accreditation rules). Build a written retention schedule that adopts the longest applicable requirement, and apply legal holds whenever litigation, investigations, or audits are reasonably anticipated.

Recommended retention timeline at a glance

• Policies and Procedures Documentation, privacy notices, acknowledgments, sanctions records, complaint logs: retain at least six years after last effective date.
• Security Risk Assessments, risk registers, and risk management plans: retain at least six years.
• HIPAA Training Records (curricula, completion logs, attestations, sanctions): retain at least six years.
• Business Associate Agreements and amendments: retain at least six years after termination.
• Incident logs, breach risk assessments, notifications, and Corrective Action Plans: retain at least six years.
• System activity review reports and Audit Logs for PHI Access: retain according to your risk analysis; aligning with the six-year documentation minimum is a strong practice to support investigations and audits.
• Designated clinical/billing records: follow state and program-specific rules and adopt the longest requirement in your retention schedule.

Required Documentation

To demonstrate HIPAA compliance, you need complete, current, and well-organized records that show what you planned to do, what you actually did, and how you verified results. The following categories should be present, accurate, and version-controlled.

• Policies and Procedures Documentation: Privacy, security, and breach notification policies; role-based procedures; version history; approval and effective dates.
• Security Risk Assessments and risk management artifacts: System inventory, data flows, threat/vulnerability analysis, likelihood/impact scoring, risk register, prioritized remediation.
• HIPAA Training Records: Training plans, role-based curricula, completion logs, test results, acknowledgments, sanctions applied for non-compliance.
• Business Associate Agreements: Executed BAAs, amendments, due diligence evidence, termination/return or destruction attestations.
• Notices and patient rights: Notice of Privacy Practices versions and distribution method, authorizations and revocations, requests for access/restriction/amendment/confidential communications, accounting of disclosures logs.
• Technical and administrative safeguards: Access authorization records, periodic access reviews, information system activity review reports, Audit Logs for PHI Access and exception reports.
• Contingency planning: Backup plans, disaster recovery, emergency mode operations, restoration test results, RTO/RPO targets, evidence of exercises.
• Device and media controls: Asset inventories, encryption states, secure disposal certificates, chain-of-custody records.
• Facility and physical safeguards: Facility access procedures, visitor logs where applicable, maintenance and repair records for systems handling PHI.
• Incident Response documentation: Incident Reporting Requirements procedures, incident tickets, investigation notes, breach determinations, notifications, and Corrective Action Plans.

Documentation Storage and Security

Store HIPAA records so they are available, accurate, and tamper-evident for their full retention period. Apply the same discipline you use for PHI: least-privilege access, strong authentication, and continuous monitoring.

Physical records

• Use locked storage, controlled keys, and sign-in/out logs; restrict areas to authorized personnel only.
• Label boxes with retention and destruction dates; track location and custodian in an index.

Electronic records

• Use centralized repositories with role-based access, multi-factor authentication, and encryption at rest and in transit.
• Enable immutability or write-once (WORM) features for critical evidence (for example, incident logs and risk assessments).
• Back up records regularly, test restorations, and document results; plan for format migration to keep files readable long term.

Access, monitoring, and lifecycle controls

• Maintain Audit Logs for PHI Access and for compliance repositories; review exceptions on a defined cadence.
• Automate retention and destruction based on your schedule; pause destruction under a legal hold.
• Document where records live, who owns them, and how changes are approved and tracked.

Business Associate Agreements

BAAs define how vendors handle PHI and what safeguards they must maintain. Treat Business Associate Agreement Compliance as an ongoing oversight program—not a one-time contract signature.

What every BAA should capture

• Permitted uses/disclosures and the minimum necessary standard.
• Required safeguards, incident reporting timelines, and cooperation during investigations.
• Subcontractor flow-down obligations and right-to-audit or assurance mechanisms.
• Termination rights and return/destruction of PHI at contract end.

Ongoing oversight

• Maintain a current vendor inventory, risk tiering, and due diligence evidence (for example, security questionnaires, attestations).
• Track BAA versions, amendments, and termination/transition records for at least six years after termination.

Incident Response and Documentation

Define clear Incident Reporting Requirements so your workforce knows how to recognize, escalate, and document security incidents and potential breaches. Your plan should specify roles, timelines, containment steps, and criteria for breach determination and notification.

What to document for each event

• Discovery details, affected systems/data, and immediate containment actions.
• Audit evidence collected (for example, logs, alerts, forensics), investigation findings, and breach risk assessment.
• Decision rationale, notifications sent, remediation steps, and Corrective Action Plans with owners and deadlines.
• Lessons learned and control improvements to prevent recurrence.

Retain incident and breach documentation for at least six years to demonstrate due diligence, regulatory response, and organizational learning.

Training and Awareness

Provide role-based training at hire, when duties change, and periodically thereafter. Keep HIPAA Training Records that show who was trained, on what content, when, and how proficiency was measured.

Making training effective—and provable

• Link modules directly to your policies and high-risk workflows (for example, remote work, telehealth, device use).
• Record sign-offs, test scores, reminders, and any sanctions for non-compliance.
• Augment formal training with ongoing awareness such as phishing simulations and just-in-time tips; keep evidence of campaigns and outcomes.

Risk Assessment and Management

Perform Security Risk Assessments on a defined cadence and whenever technology, vendors, facilities, or regulations change. Convert findings into prioritized remediation actions, track them to completion, and verify effectiveness.

Risk management artifacts to maintain

• Current asset and data-flow inventories tied to responsible owners.
• Risk register with scoring, planned safeguards, budget/effort, and target dates.
• Evidence of implemented controls, validation results, and residual risk acceptance where applicable.

Compliance Checklist

• Publish and maintain Policies and Procedures Documentation; capture approvals and version history.
• Complete Security Risk Assessments regularly and update the risk register and remediation plans.
• Establish Business Associate Agreement Compliance: executed BAAs, vendor inventory, due diligence, and periodic reviews.
• Define and practice Incident Reporting Requirements; log incidents, breach analyses, notifications, and Corrective Action Plans.
• Maintain HIPAA Training Records: curricula, attendance, assessments, and sanctions.
• Enable and review Audit Logs for PHI Access and compliance repositories; investigate and document exceptions.
• Apply a written retention schedule: keep required HIPAA documentation for at least six years; adopt the longest rule for clinical/billing records.
• Secure storage: role-based access, MFA, encryption, backups, immutability for critical evidence, and tested restorations.
• Document legal holds and pause destruction when audits, investigations, or litigation are anticipated.

FAQs

What records must be kept to comply with HIPAA?

You must retain compliance documentation that proves your privacy, security, and breach notification programs work in practice. This includes policies and procedures, Security Risk Assessments and risk management plans, HIPAA Training Records, sanctions, complaints and their resolutions, notices and authorizations, accounting of disclosures, Business Associate Agreements, incident and breach documentation, contingency plans and test results, access reviews, and Audit Logs for PHI Access or their reviewed summaries.

How long must HIPAA documentation be retained?

Keep required HIPAA compliance documentation for at least six years from the date it was created or the date it last was in effect, whichever is later. For medical and billing records, follow state and program-specific rules and adopt the longest applicable retention period in your schedule.

What security measures are required for storing HIPAA records?

Protect records with role-based access, multi-factor authentication, and encryption at rest and in transit. Maintain monitored repositories with audit logging, version control, and immutability for critical evidence. Back up routinely, test restorations, document legal holds, and securely destroy records when retention ends.

How often should Business Associate Agreements be reviewed?

Review BAAs on a defined cadence—commonly annually or during contract renewal—and whenever there are material changes (such as new services, subcontractors, incidents, or regulatory updates). Track versions and amendments, retain them for at least six years after termination, and document oversight activities to demonstrate Business Associate Agreement Compliance.