Documentation and Retention

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations require that:

A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of HIPAA. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance.


A covered entity must:

  • Maintain the policies and procedures in written or electronic form;
  • If a communication is required to be in writing, maintain such writing, or an electronic copy, as documentation; and
  • If an action, activity, or designation is required to be documented, maintain a written or electronic record of such action, activity, or designation.


A covered entity must retain the required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later.

HIPAA retention requirements apply to specific documentation retained by Purdue’s HIPAA Covered Components and may include:

  • HIPAA Policies and Procedures
  • HIPAA Privacy or Security complaints
  • Notice of Privacy Practices
  • Authorization to Use/Disclose/Release Form
  • Record of Disclosure and Inadvertent Disclosure
  • Confidentiality Agreements
  • Training Rosters
  • Confidential Destruction Certificates
  • Acknowledgement of the Receipt of the Notice of Privacy Practices
  • Written Requests for Medical Records
  • Request of Privacy Protection of Protected Health Information (PHI)
  • Request of Amendment of PHI from an Individual or Entity
  • Designation of Individuals Who are Involved in My Payment or Treatment Decision
  • Written Disciplinary Actions Related to HIPAA Violations
  • System Activity Review Documentation
  • HIPAA Privacy or Security Assessment Documentation
  • System Account or Access Request Forms
  • Building Key Request Forms
  • Certification of Compliance with HIPAA Privacy Rule Regarding Activities Preparatory to Research
  • Data Use Agreements
  • Application for Waiver of Authorization or Modification of Authorization under HIPAA Privacy Rule
  • IRB Approval of Request for waiver, Partial Waiver or Modification of Individual Authorization for Disclosure of Protected Health Information
  • Any other documentation, written or electronic, related to a HIPAA action, activity, or designation that is required to be documented.