County Privacy Officer Retention Schedule (HIPAA1)

County Privacy Officer Retention Schedule (HIPAA1)

Series Title (Agency Series #): Description, Retention (Legal Citation)

Business Associate Agreements (HIPAA1-007): Series documents contract language used to instruct third parties who are not part of the county hybrid covered entity about their responsibilities to maintain PHI according to county procedures. May be either stand-alone agreements or language inserted into other contracts. Agreements generally describe the parties, terms of the agreement, a termination clause, and authorizing signatures and dates.
Retention: Retain 6 years after expired (MOAR 166-150-0005(7) and 45 CFR 164.530(j))   

Complaint Records (HIPAA1-006): Series documents complaints made to covered components of the hybrid covered entity about purported violations of HIPAA. Records may include complaints (letters, email, phone messages, or other documentation), background material, and the covered component's response (if any). Also may include complaint logs.
Retention: Retain 10 years after last action (MOAR 166-150-0065(007))   

HIPAA Privacy Employee Training Records (HIPAA1-003): Records document training required under the federal HIPAA Privacy Rule. Training records include the workforce member's name, date training completed, certifications that additional training was completed, and related information. Completed training records are maintained in the SAP system.
Retention: Retain 6 years after workforce member separation. (45 CFR 164.530(j))   

HIPAA Privacy Training Program Records (HIPAA1-004): Records document the materials and systems used to train workforce members about their responsibilities under the HIPAA Privacy Rule. Records include training handouts, departmental training material, instructional presentations, and other documents intended to train workforce members about HIPAA privacy.
Retention: Retain 6 years after superseded or obsolete (45 CFR 164.530(j))   

Notices of Privacy Practices (HIPAA1-005): Series documents Multnomah County covered component's notification to individuals of the uses and disclosures of protected health information and of the individual's rights and Multnomah County's legal duties with respect to protected health information. Notices include a description of covered components covered by the notice, a description of the legal authority for the notice, a description of when and how individual's information may be used, and effective date, and contact information.
Retention: Retain 6 years after superseded. (45 CFR 164.530(j))   

Privacy Oversight Meeting Records (HIPAA1-001): Documents monthly meetings held to discuss compliance with the HIPAA Privacy Rule in Multnomah County. Records include minutes, agendas, and any attached documentation used in the meetings.
Retention: Retain 6 years. (45 CFR 164.530(j))

Privacy Policies and Procedures (HIPAA1-002): Records documenting the implementation of the Board of County Commissioner's Resolution 03-054, 2013-119 and Administrative Procedures to comply with the HIPAA Privacy Rule. Includes work group records (for the groups developing portions of the administrative procedures), final policies, correspondence (primarily email), and related documentation.
Retention: Final policies and procedures: retain 20 years after superseded; all other records: retain 6 years. (MOAR 166-150-0005(25) and 45 CFR 164.530(j))   

Protected Health Information Accountable Disclosure Records (HIPAA1-009): Records documenting accountable disclosures of protected health information, including both authorized and unauthorized disclosures. Records may vary in format, but should include the date of disclosure, to whom the information was disclosed, and the circumstances of the disclosure.
Retention: Retain 6 years (45 CFR 164.530(j))   

Protected Health Information Research Requests (HIPAA1-008): Series documents research requests for protected health information under the provisions of county HIPAA privacy procedures. Records include research requests, privacy board review or privacy officer expedited review, background material, and acceptance or denial of request.
Retention: Retain 6 years after research completed (45 CFR 164.530(j))

Last reviewed January 4, 2024