HIPAA Violations and Records: Retention, Sanctions, and Reporting Requirements

Record Retention Requirements

What HIPAA requires you to retain

HIPAA requires you to keep required documentation—policies and procedures, workforce training records, sanction actions, risk analyses and risk management plans, breach assessments and notices, complaint investigations, and business associate agreements—for at least six years from the date of creation or the date last in effect, whichever is later. Treat these materials as part of your Protected Health Information Retention program because they prove how you comply, not just what you say.

What HIPAA does not dictate

HIPAA does not set a universal medical record retention period for patient charts. Those timelines come from State-Specific Retention Laws and other regulators (for example, Medicare conditions of participation or accrediting bodies). In practice, you retain patient records for the longest applicable requirement across federal, state, payer, and contractual rules.

Practical retention schedule tips

• Adopt a written retention schedule that separates compliance documentation (minimum six years) from clinical record retention (state-driven).
• Track trigger dates—creation, last effective date, last encounter, and, for minors, age-of-majority rules—so you can calculate the proper hold period.
• Apply litigation holds to suspend destruction when a dispute, audit, or investigation is reasonably anticipated.
• Inventory where PHI lives (EHR, imaging, emails, backups) to ensure consistent Protected Health Information Retention across all systems.

Sanction Policies for Non-Compliance

Core elements of Workforce Sanction Policies

Your sanction policy should define prohibited behaviors, differentiate negligent from willful acts, map violations to progressive discipline, and prohibit retaliation for good-faith reporting. Make responsibilities clear for managers, HR, privacy, and security leaders so enforcement is consistent and defensible.

Applying sanctions consistently

• Use a severity matrix (e.g., curiosity viewing vs. snooping for profit) to set fair outcomes from coaching to termination.
• Document each step—facts, Electronic PHI Audit Logs reviewed, findings, corrective actions, and employee acknowledgment—and retain these records for at least six years.
• Pair sanctions with targeted re-training and technical controls (minimum necessary, break-the-glass, role-based access) to prevent recurrence.

Reporting Violation Procedures

Immediate response and assessment

On discovery, contain the incident, preserve evidence, and document who, what, when, where, and how. Perform the four-factor risk assessment to decide if the incident is a breach of unsecured PHI: the data’s nature and sensitivity, the unauthorized recipient, whether the PHI was actually acquired or viewed, and the extent of mitigation.

HHS Violation Reporting and notifications

• Individuals: Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, using plain language and required content.
• HHS: Report breaches to the Secretary. If 500+ individuals in a state or jurisdiction are affected, report to HHS and prominent media without unreasonable delay and within 60 days. For fewer than 500, log and submit to HHS annually.
• Business associates: Require prompt notice to the covered entity, with the identities of affected individuals and other needed details.
• States: Some states impose shorter timelines or additional content; follow the most stringent rule applicable.

Closeout

Complete root-cause analysis, corrective actions, and leadership briefing. Update policies, retrain, and record decisions and timelines. Keep all investigation files, assessments, and notices as part of your compliance record set.

Penalties for HIPAA Violations

Civil enforcement

OCR can impose tiered civil monetary penalties per violation, with higher tiers for reasonable cause, willful neglect corrected, and willful neglect not corrected. Caps and amounts are adjusted periodically for inflation. Expect corrective action plans, monitoring, and reporting obligations alongside monetary penalties.

Criminal enforcement

Civil and Criminal HIPAA Penalties also apply to knowing misuse of PHI. Penalties escalate for offenses under false pretenses and for personal gain, commercial advantage, or malicious harm, potentially including significant fines and imprisonment. Workforce members and business associates may face personal criminal liability.

Factors that influence outcomes

• Nature and volume of PHI, duration of exposure, and patient harm.
• Prior violations, cooperation with investigators, and corrective action speed.
• Effectiveness of your compliance program, from training to technical safeguards.

Disposal of Protected Health Information

PHI Disposal Procedures

Destruction must render PHI unreadable, indecipherable, and incapable of reconstruction. For paper, use cross-cut shredding, pulping, pulverizing, or incineration. For media and devices, apply NIST SP 800-88–style sanitization: clearing, purging (e.g., cryptographic erase), or physical destruction.

Operational controls

• Use locked consoles for collection and vetted vendors with chain-of-custody and certificates of destruction.
• Document what was destroyed, method, date, quantity, and responsible parties; retain these records per your schedule.
• Disable, wipe, and verify before device redeployment; retire encryption keys when systems are decommissioned.

Audit Logs Retention

Electronic PHI Audit Logs you should capture

Maintain logs for user access, EHR events, authentication, privilege changes, administrative actions, and system security events. Tie logs to user identity, timestamps, source device, action taken, and success or failure codes for reliable investigations.

How long to retain

HIPAA requires audit controls but not a specific log retention period. Many organizations keep Electronic PHI Audit Logs for at least six years to align with HIPAA documentation retention and to support investigations, eDiscovery, and regulatory inquiries.

Good practices

• Centralize logs in a tamper-evident repository (e.g., WORM storage) with time synchronization.
• Automate alerts for anomalous access, failed logins, and mass export events.
• Test that logs are complete, reviewable, and recoverable during incident response exercises.

Compliance with State Laws and Regulations

Preemption and “more stringent” rule

HIPAA sets a federal floor. When State-Specific Retention Laws or privacy rules are more protective—shorter access timelines, longer retention, or tighter disclosure limits—they control. Build your program to meet HIPAA and any stricter state requirements.

Implementing a harmonized approach

• Maintain a legal matrix of retention periods by record type and state; review at least annually.
• Default to the longest applicable retention for clinical records and the six-year minimum for HIPAA compliance documentation.
• Embed requirements into contracts with business associates and into EHR data lifecycle settings.
• Train workforce on state-specific nuances that affect access, amendments, and disclosures.

Conclusion

Build a defensible program by pairing clear retention rules, fair sanctions, timely reporting, disciplined PHI Disposal Procedures, and robust audit logging. Calibrate everything to the strictest applicable federal and state standards, and document each step so you can prove compliance when it matters most.

FAQs

How long do HIPAA violations remain on a record?

Keep records of violations, investigations, and sanctions for at least six years from creation or last effective date. If state law, contracts, or litigation holds require longer, retain them for the longest applicable period.

What are the consequences of failing to report a HIPAA violation?

Missing required notifications can convert a manageable incident into a reportable breach, trigger higher civil penalties, and lead to corrective action plans, audits, and reputational harm. Workforce members may also face disciplinary action under your sanction policy.

Can state laws affect HIPAA record retention requirements?

Yes. HIPAA sets the minimum for compliance documentation, but medical record retention is largely governed by state law. You should follow the most stringent rule by adopting the longer of HIPAA or state retention periods for each record type.