HIPAA Privacy Record Retention Policy

All HIPAA-related documents will be retained for a minimum of six years from the date of their creation or the date they were last in effect, whichever is later as required by the Privacy Rule or other regulations.

Reason(s) for the Policy

The purpose of this policy is to ensure that records related to HIPAA compliance are retained for the required period and are accessible for review and audit. 

Primary Guidance To Which This Policy Responds

Privacy Program Records Retention 45 C.F.R. § 164.530(j) and 45 C.F.R. § 164.316 

Who is Governed by This Policy

All CUHC workforce members

Who Should Know This Policy

All CUHC workforce members

Exclusions & Special Situations

ColumbiaDoctors Health Information Management (HIM) maintains the policy for Medical Information Retention including retention requirements for Protected Health Information (PHI). HIM also maintains documentation of individual’s request for Amendment of Protected Health Information (PHI) in addition to Accounting of Disclosures. These policies can be found on the ColumbiaDoctors Intranet 

  1. Documentation supporting the HIPAA Compliance Program shall be retained for a minimum of six (6) years from when the documentation was created or revised.
  2. Documents subject to HIPAA retention requirements include but are not limited to the following:
  • Privacy Policies and Procedures
  • Documentation of training
  • Incident and Breach Notification Documentation
  • Employee Sanction Policy and sanction log
  • Complaint and Resolution Documentation
  • Business Associate Agreements
  • Notices of Privacy Practices
  • Committee and Workgroup minutes

  1. Disposal of Records

    Disposal of paper and electronic will follow the University Sanitization and Disposal of Information Resources Policy to prevent unauthorized disclosure of sensitive information.  

  2. Additional Information
  • The Office of the General Counsel (OGC) is responsible for providing guidance regarding the legal retention requirements for documents and coordinating document holds when litigation is ongoing, pending, threatened, or likely. The University’s General Counsel will designate one or more individuals to serve as the point of contact.
  • Unless required to be retained pursuant to the approved Record Retention Schedule (RRS) or a Document Hold, records should be purged of extraneous materials (e.g., non-current drafts of documents, draft notes) on a regular basis.
  • Electronic Records will be stored securely with appropriate controls including encryption, when indicated.  Paper documents will be stored in a secure location.
  • Digital, electronic, or paper records not covered by a schedule associated with this policy, shall be managed according to established policies.

 

Questions regarding application of the policy:

Please submit inquiries via [email protected] 

 

Columbia University Policy on Records Retention | University Policies

Office of Internal Audit Records Retention Policy

Retention Destruction and Purging of Medical Records ColumbiaDoctors Intranet 

 

HIPAA Documentation Record Retention Schedule (RRS) 

Information    

  • Privacy Policies
  • Documentation of training
  • Incident and Breach Notification
  • Complaint and Resolution
  • Employee Sanction Log
  • Business Associate Agreements
  • Notice of Privacy Practices (NOPP)
  • Committee and Workgroup documentation

Retention requirement

Six years (6) from when the document was created or revised

Law

45 C.F.R. § 164.530(j) and 45 C.F.R. § 164.316