Wiki Compliance Audits

[sarahpoe]

I am aware that each state has laws regarding medical record retention. Are there any publications that specify how long compliance audit reports are retained.

Thank you

 

[JenniferB7]

Unless your state law specifies a longer time frame, HIPAA requires your keep your policies, procedures, training, compliance audits, etc. for six years.

From HIPAA Privacy (https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html):

Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.​

From HIPAA Security (https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html):

Policies and Procedures and Documentation Requirements

A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.30

Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).31​

Hope that helps!

Jennifer M. Connell, CPPM, CPCO, CPMA, CPB, CPC, CPC-I, CPC-P, CENTC