How Long HIPAA Violations Remain on Records: Employer and OCR Guidance

HIPAA Documentation Retention Requirements

Under HIPAA, you must retain required compliance documentation for at least six years. This retention window applies to covered entities and business associates and runs from the date a document was created or the date it last was in effect, whichever is later.

The six‑year requirement encompasses privacy rule compliance and security program materials tied to electronic protected health information. Maintain, at minimum:

• Policies and procedures, prior versions, and evidence of workforce acknowledgement.
• Risk analyses, risk management plans, and evaluations of administrative safeguards.
• Notices of Privacy Practices, authorizations, accounting of disclosures, and complaint/grievance records and their disposition.
• Sanction decisions for HIPAA violations, investigations, corrective actions, and incident response documentation.
• Business associate agreements and due‑diligence records.
• Breach risk assessments, notification copies, mailing evidence, and OCR submission confirmations.
• Device/media sanitization and disposal logs related to ePHI.

Treat the six‑year rule as your baseline. If other obligations require longer retention, adopt the longer period for the affected records.

State Law Versus HIPAA Standards

HIPAA sets a national floor. When a state law is more stringent—such as requiring longer retention of patient records or offering stronger privacy protections—you must follow the stricter state standard. In practice, you will maintain HIPAA compliance records for six years and retain medical records according to the longest applicable state or program rule.

Create a single retention schedule that maps each record type to the controlling requirement. This simplifies day‑to‑day operations and helps you demonstrate consistent, defensible compliance during audits or investigations.

Breach Notification and Recordkeeping

Document every security or privacy incident involving ePHI, including those you determine are not reportable breaches. Keep the risk assessment, the rationale for your determination, and all mitigation steps for no less than six years.

For reportable breaches, retain copies of individual notices, substitute notices, media statements (if required), and submissions to regulators. Remember the timing rules: notify affected individuals without unreasonable delay and no later than 60 days after discovery; for incidents under 500 individuals, submit the annual log to regulators after year‑end; for 500 or more, submit promptly within the same 60‑day window.

Your business associates must notify you of breaches per the business associate agreement. Preserve those notifications and downstream correspondence alongside your own breach notification records.

Employee Training Record Retention

Workforce training is central to privacy rule compliance. Keep training curricula, sign‑in sheets or LMS completions, attestations, quizzes, and refresher schedules for at least six years from the date each item was last in effect. This includes role‑based training for new systems and policy updates.

When a workforce member violates HIPAA, maintain the investigation file, sanction decision, and remediation proof for six years. These records may also live in HR personnel files; align your HR retention schedule so you meet HIPAA’s minimum while observing employment law requirements.

Document and retain privacy complaints and grievance records—even if no violation is found—and your written disposition. OCR can request these during an inquiry or audit.

Audit Log Retention Recommendations

HIPAA’s Security Rule requires audit controls but does not prescribe exact log retention periods. A practical approach is to retain high‑value ePHI access logs and security event logs for at least six years to track with overall documentation requirements.

Operationally, many organizations keep 12–24 months of logs in searchable “hot” storage for investigations and monitoring, then archive the remainder to immutable, cost‑efficient storage to complete a six‑year lifecycle. Include EHR access logs, authentication logs, administrator activity, endpoint and network security events, and disclosure logs.

Protect log integrity with write‑once or versioned storage, time synchronization, and documented chain‑of‑custody. Your business associates should follow equivalent log retention and integrity controls.

Medical Record Retention Periods

HIPAA does not set a nationwide medical record retention period. States do, and many require adult patient records to be kept 7–10 years, with longer timelines for minors (often until the age of majority plus several years). Specialty care, malpractice limitations, and payer contracts can extend these timeframes.

Keep HIPAA compliance documentation distinct from the clinical record itself. For example, you may retain the designated record set per state rules while separately keeping authorizations, accounting of disclosures, and policy versions for at least six years.

Proper Disposal of HIPAA Records

When retention periods end and no legal hold applies, you must dispose of HIPAA records securely. For paper, use methods that render PHI unreadable and irretrievable (e.g., cross‑cut shredding, pulping, pulverizing). For electronic media, use secure wiping, cryptographic erasure, degaussing, or physical destruction; ensure no ePHI remains on drives, removable media, or cloud snapshots.

If you use a disposal vendor, execute a business associate agreement, require strict chain‑of‑custody, and obtain a certificate of destruction. Keep destruction logs for at least six years. Apply the same rigor to backups, replicas, and archives so PHI is not inadvertently retained beyond policy.

Conclusion

In practice, retain HIPAA compliance records—including violation, complaint, training, and breach documentation—for at least six years, align medical record retention to the most stringent state or program rule, preserve meaningful audit logs for the full compliance lifecycle, and dispose of records using secure, documented methods. This unified approach satisfies OCR expectations and gives employers a defensible, efficient retention program.

FAQs.

How long must HIPAA violation records be retained?

Keep HIPAA violation records—investigations, sanctions, corrective actions, and related correspondence—for at least six years from creation or the date last in effect. If other laws or policies require longer retention, follow the longer period.

Does a HIPAA violation affect employee records permanently?

No. A violation results in disciplinary documentation that must be retained at least six years to meet HIPAA requirements, but it is not automatically permanent. Your HR retention schedule and applicable employment laws determine whether records are purged or retained longer.

What are the state law requirements for HIPAA documentation retention?

State laws primarily govern medical record retention and, in some cases, consent and privacy documentation. HIPAA documentation has a federal six‑year minimum, but if a state or program imposes a longer period for related records, use the longer timeline.

How can covered entities properly dispose of HIPAA records?

Use destruction methods that make PHI unreadable and irretrievable: cross‑cut shredding or pulping for paper; secure wiping, cryptographic erasure, degaussing, or physical destruction for electronic media. If using a vendor, have a business associate agreement, preserve chain‑of‑custody, and keep certificates and disposal logs for six years.