Why HIPAA records compliance matters
HIPAA's Privacy and Security Rules require covered entities to safeguard Protected Health Information (PHI) in every form — paper, digital, microfilm. A single avoidable breach can trigger fines from $100 to $50,000 per violation, plus mandatory breach notification.
Reynolds has guided more than 40 Pennsylvania healthcare organizations through HIPAA records audits since 2003. The checklist below summarizes the controls auditors verify first.
Run this checklist quarterly, not just before your annual audit. Most HIPAA findings come from controls that drifted out of compliance between reviews.
10-point HIPAA records compliance checklist
- Documented retention schedule for every PHI record class
| Requirement | What it means for scanned records | Citation |
|---|---|---|
| Access controls | Role-based access so only authorized users reach ePHI | §164.312(a) |
| Audit controls | Logged, reviewable access trails on the records system | §164.312(b) |
| Integrity | Protection against improper alteration or destruction of ePHI | §164.312(c) |
| Documentation retention | HIPAA compliance documentation kept 6 years from creation or last effect | §164.316(b)(2) |
- Encrypted-at-rest storage for all digital PHI
- Role-based access controls with quarterly entitlement review
- Tamper-evident audit trail on every PHI access event
- Locked, fire-suppressed physical storage for paper PHI
- Signed Business Associate Agreement with every records vendor
- Documented destruction process with certificates of destruction
- Workforce HIPAA training completed annually with sign-off
- Tested incident-response plan for PHI breaches
- Annual risk analysis covering all PHI repositories
Items 6 and 7 are the most-cited deficiencies in OCR enforcement actions. Verify both BAAs and destruction records before your next audit.
A compliant digitization project is auditable end to end — you can prove where every record was, at every step.
How Reynolds helps
We provide HIPAA-compliant on-site scanning, encrypted Laserfiche repositories, retention-schedule consulting, and certified destruction — all under one Business Associate Agreement.
Frequently asked questions
How long must HIPAA records be retained?
HIPAA requires covered entities to retain HIPAA documentation — policies, risk analyses, and disclosure logs — for six years from creation or last effective date (45 CFR §164.316(b)(2)). This is separate from how long the medical records themselves are kept.
Is the HIPAA retention period the same as medical-record retention?
No. The six-year HIPAA rule covers compliance documentation, not patient records. Medical-record retention is set by state law — in Pennsylvania, the floor is at least seven years (28 Pa. Code §115.23), and longer for minors.
What is the "7-year retention" rule?
Many record types carry a seven-year minimum, including Pennsylvania medical records (28 Pa. Code §115.23) and common financial records. Always confirm the specific record series against its governing schedule rather than applying one number to everything.
What are the main HIPAA rules?
The core rules are the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement/Omnibus Rule, codified at 45 CFR Parts 160 and 164.
How quickly must a HIPAA breach be reported?
Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery of a breach (45 CFR §164.404). Breaches affecting 500 or more people also require notice to HHS and the media.
Can a scanning vendor handle HIPAA-protected records?
Yes — if the vendor signs a Business Associate Agreement (BAA) and maintains access controls, audit logging, and documented chain-of-custody. Reynolds handles HIPAA-protected records under a BAA with HIPAA-compliant scanning and storage.
Resources
1 FILE- 01 · ChecklistHIPAA Compliance Checklist (PDF)10-point printable checklist with audit-ready signoff fields.
