HIPAA is very advantageous and important in protecting the confidentiality of the client’s protected personal health information (ePHI). Frequent exchange and transmission of information online has become the new normal and it is only imperative that certain guidelines ensure that the sensitive and personal information is protected throughout in the process.

HIPAA Record Retention Requirements mandate that the business associates and covered entities retain the data for at least sixth years from the date of creation or last effective date, whichever happens to be later. The following is to be retained as per the norms of HIPPA :
1.Any record that is the form of physical or electronic that the organization contains as a part of health insurance, affiliated covered entity etc.
2. Information, policies and procedures implemented time and again to safeguard the privacy of the patients and that is a part of the compliance to HIPAA.

3.HIPAA mandates the retention of all documented settings and assessments.
4. Any bond or document that has to do with the compliance of HIPAA should be retained by the organization for example any agreement or any form.
5.Any signed authorization or acknowledgement letters or receipt of the notice or the documentation of good faith efforts to obtain such written acknowledgements.
6. The notice of Privacy Practices for entities that must provide them.
7.Any form of record that can be accessed by the subjects.
8. Accounting of disclosures of HIPAA compliance.
9. Titles of the persons or office responsible for HIPAA compliance are to be documented and retained. The documentation is for people not only responsible for the overall responsibility of the compliance but for also those receiving and processing requests for amendments by individuals.
Other than the above record retention, the business associates and covered entities must also know their legal retention requirements from state, federal, international and other such forums, other than HIPAA. These laws may require some other type of retention of documents that may or may not be only HIPAA compliant. For example, Connecticut state law requires that ePHI should be maintained for 7 years.