Since federal privacy rules require lots of documentation, a frequently asked question is: How long do we have to keep all the documents that accumulate as a result of compliance with the Health Insurance Portability and Accountability Act (HIPAA)?
The answer: Six years — and that means six years after the date of a document’s creation or it’s most recent effective date.
Keep in mind, all HIPAA-related activities must be documented. This includes privacy policies and procedures, privacy notices, resolution of complaints, staff training, business associate agreements and all else pertaining to privacy protections.