I recently had a question from a client about what the requirements were for keeping data.  The client had previously stated 6 years.  While I’m no attorney, and do not claim to be, after some research it appears there is no data retention requirement.  That said there is a requirement that certain documents and their history be available for the last six years as it relates to HIPAA.

Below is some supporting information as it relates to that.

 

From the Department of HHS
https://www.hhs.gov/hipaa/for-professionals/faq/580/does-hipaa-require-covered-entities-to-keep-medical-records-for-any-period/index.html

Documents required to be retained
http://privacyguidance.com/blog/what-you-need-to-know-for-retention-compliance/