Recordkeeping Compliance With Healthcare Regulations: HIPAA, HITECH, ACA

HIPAA, HITECH and ACA regulations are a major concern for organizations operating in the healthcare industry. As a highly regulated industry, organizations need to ensure compliance with industry regulations – failure to do so could lead to substantial fines being levied and negative publicity that could hurt the brand reputation and ultimately bottom lines.

Therefore, organizations investing in real-time electronic communications to speed up the flow of information within and outside of the organization must aware of the implications of regulatory requirements on their use.  These new communications add infrastructure complexity which might make it more difficult to comply with regulatory requirements. The main challenge facing healthcare organizations is the ability to track, capture and secure content from these new technologies for record retention and audit purposes. Moreover, these communication technologies are prone to data leakage – with a single click, ePHI could be inadvertently sent to the wrong person. Moreover, where ePHI is sent via any of these electronic communication channels, organizations need to ensure that it is sent securely, it can be audited, and that records are made and retained according to the requirements set out by HIPAA

Here’s an overview of the healthcare regulations that have an impact on electronic communications:

Regulatory Bodies

In the U.S., the Department of Health and Human Services (HHS) oversees a number of regulatory bodies that protects the public from health risks and provides programs for public health and welfare. The Centers for Medicare and Medicaid (CMS) oversee most of the regulations related directly to the healthcare system. Aside from running government-subsidized medical coverage programs like Medicare, Medicaid and the State Children’s Health Insurance Program, CMS is also responsible for ensuring the industry complies with the Health Insurance Portability and Accountability Act (HIPAA). In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted to provide the resources for the HHS to create a nationwide network of electronic health records (EHR). Other than the Federal laws that regulate the healthcare industry, organizations need to be aware that individual states may also have local laws that need to be complied with, for instance, the length of time records should be kept.


Any organization that deals with Protected Health Information (PHI) or electronic PHI (ePHI), that is, any health related information that could identify the individual from names to test results and appointments, needs to comply with HIPAA. Other than health care providers, other organizations governed by HIPAA include health plans or insurers and health care clearinghouses.

The HIPAA Security Rule sets national standards for the security of electronic protected health information (PHI) for any entity that holds such information. HIPAA Privacy Rule protects the privacy of individually identifiable health information. The administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. The HIPAA Privacy Rule does not include medical record retention requirements, State laws generally govern how long medical records are to be retained. Highlights of some requirements for organizations concerned with HIPAA:

  • Employee oversight – must have procedures in place to properly authorize and supervise employees handling PHI and ePHI.
  • Record Retention – need to retain records in a large number of areas to demonstrate compliance and also to respond to requests, for instance, from patients.
  • Breach Notification – If there has been a breach of unsecured PHI or ePHI, the organization is obliged to provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and in certain circumstances, to the media. Notification must occur within 60 days of the incident.


The HITECH Act requires that business associates of organizations governed by HIPAA are compliant with the requirements of HIPAA. This has an impact on any organization providing a business or service to a HIPAA regulated firm and could include a law firm, billing company, even a copy shop. Another change brought about by the HITECH Act is the change in the value of penalties. Before the HITECH Act, organizations were fined between $100 to a maximum of $25,000 per incident per year. However, in 2014, the HHS imposed the largest monetary fine to date of $4.8million on two organizations found to have breached patient privacy and security.

Affordable Care Act

The Affordable Care Act requires all organizations to adopt more comprehensive recordkeeping practices. New requirements include:

  • Grandfathered health care plan – The plan must maintain records documenting the terms of the plan or health insurance coverage in connection with the coverage in effect on March 23, 2010, and any other documents necessary to verify, explain or clarify its status as a grandfathered health plan.
  • Record keeping for insurers and providers – Health insurance companies have to report on the Medical Loss Ratio (MLR), which is what percentage premium revenues were spent on clinical services and quality improvement. If the percentage does not meet at least 80-85%, then health insurance issuers would have to offer a rebate to the enrollee. As part of this new initiative, health insurance issuers are required to retain documents and records of MLR for 10 years from the date that the calculations were reported to CMS. Organizations involved in Medicare Part D are also required to retain documentation for 10 years.
  • Qualified health plans must maintain records of coverage terminations in accordance with the requirements of the Exchange.
  • Health insurance issuers offering individual health insurance coverage are required to maintain for six year records of all claims and notices associated with the internal claims and appeals process.
  • If a consumer completes a qualified health plan (QHP) selection using an agent or broker’s Internet website, the site is required to maintain related audit trails and records in an electronic format for a minimum of 10 years.

Employee Retirement Income Security Act (ERISA)

The Employee Retirement Income Security Act (ERISA) protects the benefits provided by employee pension plans. A portion of the law regulates health plans offered by private employers and unions. The Department of Labor has issued general guidance for record retention of journals, ledgers, checks, invoices, contracts, agreements, vouchers, worksheets, receipts, claim records, and applicable resolutions. Actual records, not summaries, are required, although electronic versions are acceptable if certain standards for electronic retention are met.