PHI Retention: How Long Should You Hold on to Protected Health Information?

Do you need to retain PHI after termination of a contract?

There are several different answers to this question, based on the type of services you provide and the reasons why you have access to PHI. But if your organization is considered a Covered Entity, Business Associate, or Business Associate Subcontractor under HIPAA, you are required to retain all PHI you have processed, stored, or transmitted. In these cases, secure PHI retention is absolutely necessary.

Per the HIPAA Security Rule, all records containing PHI must be held for a minimum of six years.¹ However, some state laws and other federal regulations have different length requirements regarding PHI retention.²

The Centers for Medicare & Medicaid Services (CMS) requires that hospitals keep their records for five years at a minimum, with a six year PHI retention requirement for critical access hospitals.³ On the other hand, The Occupational Safety and Health Administration (OSHA) requires employers to retain employee exposure and medical records for 30 years.⁴ If your organization is subject to multiple regulations, you should comply with whatever record retention requirement is the most stringent.

For physicians, different states have different rules on how long you should save records, and the lengths of time vary pretty widely. Some states require PHI retention of patient records for seven years, while the California Medical Association recommends that physicians retain records for 10 years after the date the patient was last seen. When storing so many records for an extended period of time, there is a lot of potential for HIPAA violations!

So, if you’re a physician practice, what do you do? It appears that most recommendations say 10 years are sufficient, unless you identify a reason to retain the records longer. Whatever you do, make sure you have proper security measures in place to protect the records indefinitely, and consult with your legal counsel on their recommendations.

How long should insurance agents hold on to PHI after termination of a contract?

Nearly every state department of insurance requires entities (such as agents) who are under their regulation to maintain their records for 5-7 years. Consult your local laws and check with your state department to determine what PHI retention requirements you must comply with, since each regulatory body has different regulations.

How long should BAs and Subcontractors retain PHI after termination of a contract?

This is where this whole blog began. We had a client who was storing records for physician practices and wanted to know if they needed to maintain the data after termination of the contract. The answer to this is no. HIPAA PHI retention requirements apply only to physician practices.

The BA Subcontractor would be required to return the information to the physician practice upon termination of the contract. We recommend a 30-day time limit for returning the information. After 30 days, the BA or Subcontractor needs to sanitize this information properly. This means shredding any physical records and overwriting all data. Just deleting isn’t good enough. Securely overwrite that data with 1’s and 0’s! If that information were to be breached after termination of the contract, you would have a huge issue on your hands!

Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.

  1. 45 CFR § 164.316(b)(2)(i)
  2. 42 CFR § 485.638(c)
  3. 42 CFR § 482.24(b)(1)
  4. OSHA’s Other Recordkeeping Standard: Access to Employee Exposure and Medical Records
  5. How Long Do I Have to Keep My Patient’s Medical Records?

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)