Question: Does the HIPAA Privacy Rule specify a certain amount of time that our medical office needs to keep patients’ electronic medical records?
Answer: Some people believe that the HIPAA Privacy Rule requires covered entities (CEs) to retain patients’ medical records for six years, or that HIPAA requires you to retain genetic testing records for six years, but this is incorrect, according to a July 29 blog posting by attorney Mary Beth Gettins of Gettins Law.
In fact, the HIPAA Privacy Rule does not require CEs to keep patients’ medical records for any specific period of time, Gettins said. But HIPAA does require that you retain records pertaining to HIPAA privacy rights for a minimum of six years.