How to Stay HIPAA Compliant When Closing a Healthcare Practice

Patient Notification Requirements

When you plan to close a healthcare practice, your first priority is clear, timely communication with patients under Federal and State Notification Requirements. HIPAA focuses on Protected Health Information Safeguards, while many states dictate exactly how and when to notify patients about a closure.

What to include in your notice

• Closure date and last day for appointments, plus emergency coverage details until that date.
• Instructions for obtaining or transferring records, including how to submit requests and expected timelines.
• Options for continuity of care (e.g., referral resources) without steering patients to a specific provider unless asked.
• Designation and contact information for the custodian of records after closure.

How and when to notify

Send individual notices to active patients as early as practicable—commonly 30–90 days before the closure—using first-class mail and, where appropriate, secure portal messages or email. Post signage in the office, update voicemail and your website, and, if State Record Retention Laws or boards require, publish a community notice.

Preventing unauthorized disclosures

Apply Unauthorized Disclosure Prevention at every step. Verify addresses, avoid postcards, redact sensitive data from notices, and authenticate patient identity before discussing PHI. Keep a log of all outreach efforts and retain proof for at least six years as part of your HIPAA documentation.

Record Retention Policies

HIPAA does not set a universal medical record retention period; instead, you must follow State Record Retention Laws and applicable payer, accreditation, and specialty rules. HIPAA does require you to retain HIPAA-related policies, procedures, and documentation for six years from the date of creation or last effective date.

Setting your practice’s retention schedule

• Adults: commonly 7–10 years from the last encounter, per state rules.
• Minors: often until the age of majority plus an additional period (e.g., 2–10 years), depending on your state.
• Medicare/Medicaid and certain payer contracts: longer periods may apply (often up to 10 years).
• Special categories (imaging, oncology, occupational medicine): check specialty and state requirements that can exceed general rules.

Designate a custodian of records to handle requests after closure. Document the location of records, retrieval procedures, and fees consistent with HIPAA’s reasonable, cost-based limits. Maintain litigation holds to pause destruction if a claim or investigation is likely.

Secure Record Transfer Procedures

Before transferring any PHI, confirm the requester’s identity and authority. For disclosures to the patient, the minimum necessary standard does not apply; for most other disclosures, use minimum necessary. Obtain valid authorizations when required and honor revocations promptly.

Transfer methods that protect Health Information Security

• Patient access: patient portal downloads, encrypted email, or secure mail with tracking; provide passwords separately.
• Provider-to-provider: secure messaging, SFTP, or encrypted media with chain-of-custody logs and receipt confirmation.
• Paper charts: tamper-evident packaging, signature-required courier service, and documented chain of custody.

Record each disclosure, including what was sent, to whom, when, and by which method. Use Business Associate Agreements for any vendor facilitating the transfer, and audit their safeguards to ensure ongoing Unauthorized Disclosure Prevention.

Meet HIPAA timelines by fulfilling patient access requests within 30 days (with one 30-day extension when necessary) and communicating clearly about status, format, and any permitted fees.

HIPAA-Compliant Record Storage

Choose storage options that maintain Health Information Security for the full retention period. You may store records onsite, offsite, or in a vetted cloud environment—each must implement Protected Health Information Safeguards and be governed by appropriate Business Associate Agreements.

Core storage controls

• Access controls: role-based permissions, unique user IDs, and multi-factor authentication.
• Encryption: strong encryption in transit and at rest, with secure key management.
• Physical security: locked, access-controlled rooms; environmental protection; visitor logs.
• Resilience: backups, disaster recovery, and periodic restoration testing until retention ends.
• Accountability: audit logs, periodic risk analyses, and vendor oversight with documented remediation plans.

Index and label records to enable timely retrieval. Keep clear procedures for responding to patient requests after closure, including who responds, how identity is verified, and expected turnaround times.

Secure Disposal of Medical Records

Dispose of PHI only when the retention period and any legal holds have fully lapsed. Your disposal process must ensure the information is unreadable, indecipherable, and cannot be reconstructed.

Approved destruction methods

• Paper: cross-cut shredding, pulping, or incineration under supervision.
• Electronic media: secure wipe, cryptographic erasure, degaussing, or physical destruction aligned with industry-standard media sanitization guidelines.

Document the destruction event (date, method, media, and personnel) and obtain certificates of destruction from vendors. Use Business Associate Agreements with any shredding or recycling vendor and verify their controls to maintain Unauthorized Disclosure Prevention.

Staff Communication and Training

Announce the closure plan early, assign an incident response lead, and define roles for privacy, security, and operations. Provide focused refresher training on PHI handling, patient communications, and final-day procedures.

Operational checklists for the team

• Standardize scripts for patient calls and record requests; verify identity before releasing PHI.
• Terminate system access in phases, remove orphaned accounts, and remotely wipe authorized devices at closing.
• Collect keys, badges, and stored media; secure all charts and export logs from EHRs.
• Track attendance for training and apply your sanction policy for noncompliance.

Maintain a post-closure contact method (record custodian phone or portal) so patients can continue to exercise their HIPAA rights without interruption.

Regulatory and Insurance Compliance

Beyond patients and staff, notify professional boards, payers, and programs according to Federal and State Notification Requirements. Update or terminate Business Associate Agreements, ensuring PHI is returned or destroyed per contract.

Critical closures and confirmations

• Licensure and enrollment: inform state boards, Medicare/Medicaid, and commercial payers of your termination dates.
• DEA and prescribing: follow federal and state rules for closing or transferring registrations and secure storage of related records.
• Insurance: secure Tail Liability Insurance for claims-made malpractice policies, confirm retroactive dates, and retain proof of coverage.
• Financial and compliance records: preserve HIPAA documentation, payer contracts, and destruction logs for required periods.

Conclusion

Closing a healthcare practice demands meticulous planning around Protected Health Information Safeguards, patient access, and vendor oversight. By aligning notices, retention, transfer, storage, destruction, training, and insurance with HIPAA and State Record Retention Laws, you protect patients, fulfill legal duties, and minimize post-closure risk.

FAQs

What are the patient notification requirements before closing a healthcare practice?

Provide advance written notice—commonly 30–90 days—explaining the closure date, how to obtain or transfer records, and who the custodian will be. Use first-class mail plus secure digital channels when appropriate, post signage, and follow any Federal and State Notification Requirements (including possible community notices). Keep proof of all outreach as part of your HIPAA documentation.

How long must medical records be retained after closure?

Retention is driven primarily by State Record Retention Laws and payer rules. Many states require 7–10 years for adult records and longer for minors (often until majority plus additional years). Separate from medical records, HIPAA requires you to keep HIPAA-related policies and documentation for at least six years. Confirm specialty and payer-specific timelines before setting destruction dates.

How should records be securely transferred or stored?

Use encrypted methods (secure portal, encrypted email, SFTP, or encrypted media), verify identity and authority, and document a chain of custody. Store remaining records in environments with access controls, encryption, backups, and audit logging. Engage vendors only under Business Associate Agreements that enforce Health Information Security and Unauthorized Disclosure Prevention.

What steps ensure continued HIPAA compliance after practice closure?

Designate a records custodian, honor patient access requests within HIPAA timelines, maintain documentation and audit logs, and ensure secure storage or destruction at the end of retention. Update or terminate Business Associate Agreements, train staff through the final day, and secure Tail Liability Insurance to cover post-closure claims exposure.