What's Up With the HIPAA Retention Schedules?

For much of my professional career I have been what I like to call "health care adjacent". Meaning, my department has HIPAA responsibilities but I personally was only partially involved in them. I was around for conversations around protecting PHI, e- or otherwise, and sometimes called in as a technical resource for addressing specific controls but I was never in a situation where I really needed to know shit about the standard. One truism that everyone involved clearly knew was that records retention was a nightmare. We had a hard requirement of a 7-year minimum for anything related to patient data, whether the patient's electronic chart or firewall logs for the network segment that housed HIPAA covered servers.

Working for a company that services hospitals and medical services providers has meant stepping away from my former blissful ignorance and digging down into the absolute mess that is HIPAA and all of its descendants. What struck me is that I never quite saw the declaration of that 7-year requirement. I simply assumed I hadn't quite gotten to that section, or that it was listed in one of the follow-up bills. After all, everyone I've spoken to has treated the 7-year requirement as fact, both at my previous employer and others. Needless to say, I was rather surprised, when I learned that there's not actually any such requirement at all!

In fact, the only legislated retention schedule at all is found in 45 CFR 164.316(b)(2)(i).

Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Yes, 6 years is awfully close to 7 but the given section entirely revolves around policy and procedure. I think it should be pointed out that policies and procedure are slightly different from health records, and very different from transaction artifacts such as firewall logs.

That's not to say we don't have any retention schedules to follow, they're just not defined by HIPAA et al. Take the Centers for Medicare & Medicaid Services (CMS) for example. They define several schedules dependent on the type of information; provider submitted cost reports must be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report (42 CFR 482.24(b)(1))1, or Medicare managed care program providers to retain records for 10 years (42 CFR 422.504(d)(2)(iii))2, or psychiatric hospitals for 5 years (42 CFR 482.61)3. The American Health Information Management Association has done a pretty fantastic job at summarizing many, though almost definitely not all, of the schedules in 'Practice Brief—Retention of Health Information'4.

Looking through the list we can see an amazingly large number of individual retention schedules with time frames that are all over the place. While that is a great resource it doesn't really help understand the whole 7-Year Mystery that prompted my investigation. The closest thing I've found to an authoritative source is from the State of Connecticut Public Health Code.

19a-14-42. Retention schedule Unless specified otherwise herein, all parts of a medical record shall be retained for a period of seven (7) years from the last date of treatment, or, upon the death of the patient, for three (3) years. (a) Pathology Slides, EEG and ECG Tracings must each be kept for seven (7) years. If an ECG is taken and the results are unchanged from a previous ECG, then only the most recent results need be retained. Reports on each of these must e kept for the duration of the medical record. (b) Lab Reports and PKU Reports must be kept for at least five (5) years. Only positive (abnormal) lab results need be retained. (c) X-Ray Films must be kept for three (3) years. (Effective August 29, 1984.)

Per the HHS all of the requirements spelled out in HIPAA et al were intended to be minimums. That is, if your state has overlapping guidelines you must follow the stricter of the two. My best guess is that at one time an audit performed in Connecticut and listed 7-year retention as a finding. Audit findings being what they are found their way into the public consciousness and became so deeply embedded in compliance lore that most practitioners were unwilling to question it or suffer the disappointment that is reading US federal legislation to discover what really is required.