HIPAA Q&A: You've got questions. We've got answers!
HIM-HIPAA Insider, October 19, 2015
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide you with the information you need.
Q: Can you tell me whether there is a resource that lists documents and required retention guidelines (i.e., audit logs)? Where would I find such a list? Do you have any recommendations about retention guidelines for audit logs based on your experience?
A: There is no resource published by OCR that documents required retention guidelines. If it relates to HIPAA compliance, documents need to be retained for six years. That means, as an example, your HIPAA-related policies need to be retained for six years. So if you update a policy, the old version needs to be retained for six years.
As far as audit logs go, there are no guidelines, and there are two schools of thought: retain the log files for six years or retain the audit log monitoring reports for six years but not the logs themselves. EHR audit logs should be retained for three years because of the yet-to-be-finalized accounting of disclosures rule and new requirements included in the HITECH Act. I am of the second school of thought for all other audit logs. In other words, document your retention requirements and maintain other audit logs for 90 days following an audit log review unless logs are needed for a security incident investigation, at which point you should religiously destroy the audit logs that were reviewed after 90 days. If the policy is strictly followed, you are also protected if you become involved in a legal battle and accusations are made that you are destroying evidence. In the end, if you don't have it, it's not discoverable.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Math can be tricky: TJC corrects ABHR storage requirement
- Air control equals infection control
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Five ways to safeguard your patients' valuables
- The consequences of an incomplete medical record
- Q&A: Primary, principal, and secondary diagnoses
- OB services: Coding inside and outside of the package
- Skills of effective case managers
- Practice the six rights of medication administration
- E-mailed
-
- Air control equals infection control
- OSHA HazCom updates include labeling, SDS requirements
- Plan of Care Supports Documentation of Homebound Status
- Note similarities and differences between HCPCS, CPT® codes
- Note from the instructor: CMS clarifies billing guidelines on proper billing for drugs in a single-dose or single-use vial, including billing for discarded drugs
- Neurological checks for head injuries
- Modifiers and medical necessity
- Follow these tips to properly report bladder catheter codes
- Five ways to safeguard your patients' valuables
- Differentiate between types of wound debridement
- Searched