In 2023, a mid-sized clinic in the Southeast received a records request from OCR during a compliance review — and couldn't produce its risk analysis from three years prior. The organization assumed it only needed to keep current documents. That assumption triggered an investigation that uncovered systemic documentation failures. A clear HIPAA records retention policy would have prevented the entire situation.
What a HIPAA Records Retention Policy Actually Requires
Here's where confusion starts: HIPAA does not set a single, universal retention period for medical records. State laws govern how long patient medical records must be kept. What HIPAA does mandate is the retention of specific compliance documentation — the policies, procedures, and administrative records that prove your organization meets its regulatory obligations.
Under 45 CFR § 164.530(j), covered entities must retain HIPAA-related documentation for six years from the date of creation or six years from the date the document was last in effect — whichever is later. This applies to written policies and procedures, privacy practices, workforce training records, authorizations, complaints, and their dispositions.
This six-year requirement catches many organizations off guard. It applies not only to the covered entity but also to every business associate that maintains HIPAA-relevant documentation on your behalf.
Documents Your Organization Must Retain for Six Years
OCR expects your records retention practices to cover a comprehensive set of documents. Failing to produce any of these during an audit or investigation can lead to findings of willful neglect. Here's what falls under the six-year requirement:
- HIPAA policies and procedures — including all prior versions, not just the current edition
- Risk analysis and risk management plans — required under the Security Rule at 45 CFR § 164.308(a)(1)
- Workforce training records — proof that every member of your workforce received HIPAA training and when
- Business associate agreements (BAAs) — both active and expired contracts
- Notice of Privacy Practices — current and all prior versions, along with acknowledgment receipts
- Breach incident documentation — investigation findings, notifications sent, and corrective actions taken
- Complaints and their dispositions — every privacy complaint your organization received and how it was resolved
- Sanctions applied to workforce members — records of disciplinary action for HIPAA violations
If your organization can't produce these documents on demand, OCR will treat that gap as a compliance failure — regardless of whether the underlying requirement was actually met.
The Workforce Training Retention Gap Most Organizations Miss
In my work with covered entities, training documentation is the single most common gap I see. Organizations invest in training their workforce but fail to retain completion records for the full six-year period. Some use platforms that purge records after employees leave. Others rely on spreadsheets that get lost during system migrations.
Under the Privacy Rule, every workforce member must receive training on your organization's HIPAA policies and procedures. Under the Security Rule, security awareness training is required at 45 CFR § 164.308(a)(5). You need dated, verifiable records proving both — and you need them for six years.
Investing in a dedicated HIPAA training and certification program that automatically tracks and retains completion records solves this problem. The cost of maintaining training documentation is negligible compared to the penalties for failing to produce it.
How State Laws Complicate Your HIPAA Records Retention Policy
Your HIPAA records retention policy cannot exist in isolation. While HIPAA's six-year requirement covers compliance documentation, state laws impose separate — and often longer — retention periods for patient medical records and billing records.
For example, many states require adult medical records to be retained for seven to ten years after the last encounter. Records for minors often must be kept until the patient reaches the age of majority plus an additional period. Some states, like Nevada, require hospital records to be retained for 25 years.
The practical approach: build your policy to meet the longest applicable retention period for each document type. When HIPAA says six years and your state says ten, you keep it for ten. Document this analysis in your written HIPAA records retention policy so OCR can see the rationale.
Building an Enforceable Retention and Destruction Policy
A strong HIPAA records retention policy doesn't just specify how long to keep documents. It also addresses secure destruction. Under the minimum necessary standard and the Security Rule's disposal requirements at 45 CFR § 164.310(d)(2), protected health information must be rendered unreadable and indiscernible before disposal.
Your policy should define:
- Specific retention periods for each document category, referencing both HIPAA and applicable state law
- Secure storage requirements — encryption for electronic records, locked storage for physical records
- A destruction schedule and approved destruction methods (shredding, degaussing, certified electronic wiping)
- A designated individual responsible for overseeing retention and destruction
- A litigation hold procedure that suspends destruction when legal action is pending or reasonably anticipated
Document everything. If you destroy records on schedule, keep a destruction log that shows what was destroyed, when, and by whom. OCR wants to see that your organization follows its own policies consistently.
OCR Enforcement Makes Retention a Priority
OCR's enforcement actions consistently penalize organizations for documentation failures. In multiple resolution agreements, penalties were assessed not because the organization lacked safeguards but because it couldn't prove those safeguards existed. The absence of documentation is treated as the absence of compliance.
Between 2008 and 2024, OCR resolved over 140 cases resulting in corrective action plans or civil monetary penalties. A significant number of those cases involved failure to conduct or document a risk analysis — a document that falls squarely within the six-year retention requirement. Penalties under the HIPAA violation tier structure can reach up to $2,067,813 per violation category per year, as adjusted for inflation.
Your organization cannot afford to treat documentation as an afterthought. A written, enforced HIPAA records retention policy is a frontline defense against OCR findings.
Take Action on Your Records Retention Policy Now
Start with an inventory of every document type your organization creates or receives that falls under HIPAA's requirements. Map each to the correct retention period. Identify gaps — especially in workforce training records, prior policy versions, and expired business associate agreements.
Then formalize the policy in writing, train your workforce on it, and assign someone to enforce it. Platforms like HIPAA Certify can help your organization build a culture of compliance where documentation and training aren't afterthoughts — they're standard operating procedure.
Every document you can't produce is a risk you didn't have to take. Build your HIPAA records retention policy before OCR asks for the records you no longer have.