Documentation Requirements for HIPAA Compliance

One Guy Consulting
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
12 min read

written records rules for HIPAA Compliance

HIPAA written records Essentials

HIPAA written records is proof that your rule-keeping program exists and works. Without it, even strong rule-keeping efforts are invisible to regulators. When the Office for Civil Rights (OCR) investigates your practice, they look at records — not intentions.

Practices that cannot show full, current records face harsher outcomes. This is true even when their actual rule-keeping is solid. Documents are how you prove what you did.

HIPAA sets specific rules for the Privacy Rule, Security Rule, and Breach notice Rule. Each rule says what to record, how long to keep it, and how to manage it. This guide covers all of it.

Required Documents List

Privacy Rule written records

The Privacy Rule requires covered groups to keep records on PHI handling, patient rights, and privacy habits. These records must be current and complete. Missing any of them can result in OCR findings.

Required Privacy Rule records:

  • Notice of Privacy Practices (NPP): A written notice that explains how the practice uses and shares PHI, and what rights patients have.
  • Privacy policies and steps: Full policies covering PHI use, sharing, access, and protection.
  • Patient access rights forms: Standard forms for getting patient sign-off on non-routine uses and shares.
  • named record sets written records: A clear list of what counts as the practice's named record set.
  • Accounting of shares records: A log of all PHI shares made outside of treatment, payment, or healthcare operations.
  • Patient access request logs: Records of patient requests to see their PHI and how the practice responded.
  • Amendment request records: Records of patient requests to change their PHI and the actions taken.
  • Restriction request records: Logs of patient requests to limit PHI use or sharing and how the practice responded.
  • Minimum needed decisions: Written criteria for deciding minimum needed access for routine shares.
  • team privacy training records: Proof that all team members completed privacy training.
  • Privacy complaint log: A record of every privacy complaint received and how each was resolved.

Security Rule written records

The Security Rule requires records on security measures and risk management. It also covers the setup of tech, physical, and admin protections. Every safeguard area needs its own written records.

Required Security Rule records:

  • Risk review report: A full analysis of threats, weak points, and risks to ePHI, with risk levels and reduction plans.
  • Risk management plan: Documented steps to reduce identified risks to fair levels.
  • Security policies and steps: Policies covering all admin, physical, and tech safeguard rules.
  • System action review records: Logs of audit log reviews and any issues found.
  • Access access rights records: Records showing who can access ePHI and why.
  • Security incident records: Logs of all security incidents, the reviews done, and the results.
  • backup plan: A written down backup plan, disaster recovery plan, and emergency operations plan.
  • Business associate agreements: Signed BAAs with every business associate that touches ePHI.
  • Evaluation records: Records of regular tech and non-tech rule-keeping reviews.
  • Facility security plan: written records of physical protections and facility access controls.
  • team security training records: Proof that all staff completed security knowledge training.

Breach notice written records

  • Breach risk review records: A four-factor risk review for each possible breach.
  • Breach notice records: Copies of all notices sent to people, HHS, and media.
  • Breach log: A full log of all breaches, including those affecting fewer than 500 people.
  • Investigation reports: Detailed records of breach reviews, findings, and corrective actions.

Retention Periods

The Six-Year Rule

HIPAA requires covered groups and business associates to keep records for six years from the date of creation or the date when it was last in effect, whichever is later. This applies to policies, steps, training records, BAAs, and all other rule-keeping records.

Understanding "last in effect":

  • A policy created in 2020 and replaced in 2024 must be kept until 2030 (six years from the date it was last in effect).
  • A BAA signed in 2021 and ended in 2025 must be kept until 2031.
  • Training records from 2023 must be kept until at least 2029.
  • An incident record from 2024 must be kept until at least 2030.

Important factors:

  • State laws may set longer retention periods for certain records. Always follow the longer rule.
  • Some records should be kept beyond six years for legal or day-to-day reasons.
  • Litigation holds may require keeping specific records longer.
  • Consider keeping risk reviews and audit reports permanently as proof of your rule-keeping program's history.

Retention Schedule by Document Type

Document Type Minimum Retention Recommended Retention
Policies and steps 6 years from last in effect Permanent (all versions)
Risk reviews 6 years from creation Permanent
Training records 6 years from creation 10 years
BAAs 6 years from ending 10 years
Incident and breach records 6 years from creation Permanent
Access access rights records 6 years from last in effect 10 years
Audit logs 6 years from creation 7 years
Patient access rights forms 6 years from creation Per state medical records law
Complaint records 6 years from resolution 10 years
Sanctions records 6 years from creation Duration of employment plus 6 years

Policy written records Best Practices

Policy Structure

Well-structured policies are easier to train on and produce during audits. Use a consistent format across all rule-keeping policies. This saves time and reduces errors.

Recommended policy elements:

  • Policy number and title: A unique ID and a clear, descriptive title.
  • Purpose: Why the policy exists and what it covers.
  • Scope: Who the policy applies to and when.
  • Definitions: Key terms used in the policy.
  • Policy statements: The actual rules, written in clear and direct language.
  • steps: Step-by-step steps for carrying out the policy.
  • Responsibilities: Who owns each part of the policy.
  • Sanctions: Consequences for breaking the policy.
  • Related policies: Links to related rule-keeping records.
  • Revision history: Dates and descriptions of all changes.
  • Approval signatures: Proof that management reviewed and approved the policy.

Policy Review Cycle

Policies must be reviewed and updated often. They need to stay current with rule changes, practice changes, and new threats. Stale policies create rule-keeping gaps.

  • Annual review: Review all policies at least once per year. Document the review with a date stamp, even if no changes are made.
  • Trigger-based review: Update policies when rules change, major incidents occur, the practice structure changes, or new technology is deployed.
  • Stakeholder input: Bring in relevant department heads during policy reviews. This keeps policies practical and enforceable.
  • Legal review: Have legal counsel review policies at least once a year. Also review with counsel whenever major changes are made.

Risk review written records

What to Document

The risk review is the most important rule-keeping record your practice produces. It drives your entire security program. It is also the first record OCR requests during an review.

Risk review written records must include:

  • Scope definition: Which systems, facilities, and steps were assessed.
  • method: The framework and approach used for the review.
  • Asset list: All systems and locations where ePHI is created, received, kept, or sent.
  • Threat finding: All threats to ePHI that can reasonably be expected.
  • weak spot finding: Weak points in systems, steps, and controls.
  • Current controls: Existing protections and how well they work.
  • Risk decision: Likelihood and impact ratings for each identified risk.
  • Risk prioritization: A ranked list of risks by overall risk level.
  • Reduction plan: Specific actions to address each risk, with owners and timelines.
  • Residual risk acceptance: Documented acceptance of risks that will not be fully handled, with justification.

Training Records

Training written records rules

Training records must show that every team member received proper HIPAA training. Incomplete training records are one of the most common findings in OCR reviews. For a full guide to training programs, see our HIPAA training guide.

Required training records:

  • Training schedule and curriculum for each session.
  • Attendance records with names, dates, and signatures or digital verification.
  • Training items used (every version).
  • review results for each participant.
  • Completion certificates.
  • Remedial training records for those who failed reviews or broke policies.
  • Training program review and improvement records.

Incident written records

Incident Record rules

Every security incident and possible breach must be written down from first discovery to final resolution. These records show your practice's response ability and due diligence. OCR reviews them closely during reviews.

Incident written records elements:

  • Date and time of discovery.
  • Description of the incident.
  • How the incident was found.
  • Who reported the incident.
  • Systems and data affected.
  • Number of people potentially affected.
  • Immediate containment actions taken.
  • Investigation steps and findings.
  • Root cause analysis.
  • Four-factor breach risk review (if relevant).
  • Corrective actions taken.
  • notices sent (people, HHS, media).
  • Follow-up checks confirming corrective actions worked.

For more on preventing incidents, see our guide on common HIPAA breaches.

Audit Trails

System Audit Logging

HIPAA requires habits to set up audit controls that record action in systems containing ePHI. These logs act as both a detective control and a written records rule. They must be reviewed on a regular schedule.

Audit log rules:

  • User access logs: Who accessed what information and when.
  • Login check logs: Successful and failed login attempts.
  • Modification logs: Changes to ePHI, including who made the change and what changed.
  • sharing logs: Records of ePHI sent outside the practice.
  • admin logs: System setup changes, user account edits, and privilege changes.
  • Physical access logs: Badge swipes, door access events, and visitor sign-in records.

Audit log management:

  • Store logs securely with protections against tampering.
  • Review logs regularly based on the risk level of the system.
  • Keep logs for at least six years.
  • Investigate any issues found during log review.
  • Document the results of all log reviews.

Version Control

Managing Document Versions

HIPAA's retention rules and the ongoing changes to rule-keeping records make version control essential. You must be able to produce any version of any policy that was active during the retention period. Without version control, that becomes impossible.

Version control best habits:

  • Version numbering: Use a consistent scheme (e.g., 1.0, 1.1, 2.0) that separates minor updates from major revisions.
  • Change tracking: Record what changed in each version, who made the change, and why.
  • Effective dates: Every record version must have a clearly marked effective date.
  • Superseded records: Mark replaced versions as superseded and archive them where they can be found.
  • Approval records: Keep proof of who approved each version.
  • Central storage: Store all current and past versions in one access-controlled location.

Best Practices for Document Management

Building a Compliance Document System

A well-organized record management system is the backbone of your rule-keeping program. Without it, even full written records becomes hard to find, keep, and produce when needed. Good systems make audits far less stressful.

Document management system rules:

  • Centralized storage: All rule-keeping records in one access-controlled system.
  • Search skill: Ability to find records by title, content, date, or category.
  • Access controls: Role-based access so only authorized staff can view, edit, or approve records.
  • Audit trail: The record system itself should log who accessed, changed, or downloaded records.
  • Backup and recovery: Regular backups with tested recovery steps.
  • Retention management: Automated tracking with alerts for records nearing their retention deadline.
  • Workflow support: Built-in review, approval, and distribution workflows.

Common written records Mistakes

Avoid these common written records failures that lead to OCR findings:

  • Missing records: Policies that should exist but do not — especially risk reviews and incident records.
  • Outdated policies: Documents not reviewed or updated in years.
  • No version history: No way to produce the version of a policy that was active at a specific point in time.
  • Incomplete training records: team members with no written down training completion.
  • Unsigned BAAs: Business associate relationships with no signed agreements.
  • No evidence of review: Policies with no record of regular review and approval.
  • uneven retention: Some records kept properly while others are deleted too soon.

HIPAA written records FAQ

What is the HIPAA written records retention period?

HIPAA requires written records to be kept for six years from the date of creation or the date when it was last in effect, whichever is later. This applies to policies, steps, training records, business associate agreements, risk reviews, incident records, and all other rule-keeping records. State laws may require longer retention for specific record types.

Can HIPAA written records be stored electronically?

Yes. HIPAA does not require paper records. digital storage is fine and often preferred. It supports better search, access control, and backup. Your digital storage system must include access controls, data scrambling, audit logging, and backup steps. The system itself must meet HIPAA rules for any ePHI it contains.

What happens if we cannot produce written records during an OCR review?

Failing to produce required records is itself a HIPAA breach. It also prevents you from showing rule-keeping with other rules. If you cannot show training records, OCR will assume training was not done. If you cannot produce a risk review, OCR will assume one was never performed. Missing records almost always lead to larger fines and more extensive corrective action plans.

How often should policies be reviewed and updated?

Review all HIPAA policies at least once a year. Also review and update them when rules change, major incidents occur, new systems are deployed, or the practice structure changes. Document every review — including reviews where no changes were made. This shows ongoing rule-keeping program upkeep.

written records rules Takeaways

written records is the tangible proof of your HIPAA rule-keeping program. Without it, your efforts are invisible to regulators and indefensible during reviews. With it, you show commitment, systematic risk management, and the continuous improvement regulators expect.

Build your program on the rules in this guide. Create a centralized, access-controlled storage. Use consistent version control. Set retention schedules that meet or exceed the six-year minimum. Train your rule-keeping team on written records standards. Review your system regularly to keep it complete, current, and audit-ready.

One Guy Consulting helps healthcare habits build and keep written records systems that satisfy HIPAA rules and support effective rule-keeping operations. From policy development to record management system selection and setup, we make sure your rule-keeping program is not just effective but provable. Browse policy templates to strengthen your rule-keeping written records, or explore our HIPAA rule-keeping guide for the full rule-keeping picture. HIPAA policy templates

Keep Reading

All Articles