Reference Tool
HIPAA Deadline Tracker 2026
Every HIPAA response window, retention period, and annual deadline — with the 45 CFR citation for each.
Time-Sensitive Patient Rights Response Deadlines
| Request Type | Standard Deadline | Extension Available | Citation |
|---|---|---|---|
| Right of Access — provide copy of records | 30 days from receipt | One 30-day extension with written notice to patient | 45 CFR § 164.524(b)(2) |
| Right to Amend — respond to amendment request | 60 days from receipt | One 30-day extension with written notice to patient | 45 CFR § 164.526(b)(2) |
| Accounting of Disclosures — provide list of disclosures | 60 days from receipt | One 30-day extension with written notice to patient | 45 CFR § 164.528(c)(1) |
| Restriction Request — respond with decision | Reasonable time (no prescribed limit) | N/A — best practice is prompt response | 45 CFR § 164.522(a) |
| Confidential Communications — accommodate request | Reasonable time | N/A | 45 CFR § 164.522(b) |
Breach Response Breach Notification Deadlines
| Notification Requirement | Deadline | Notes | Citation |
|---|---|---|---|
| Individual notification — notify affected individuals | 60 days from discovery | "Discovery" is when CE knew or should have known of the breach | 45 CFR § 164.404(b) |
| HHS notification — report to HHS Secretary | Within 60 days if 500+ affected; within 60 days of year-end if fewer than 500 | Submit via HHS Breach Reporting Portal | 45 CFR § 164.408 |
| Media notification — notify prominent media (500+ in a state) | 60 days from discovery | Required when 500+ individuals in a single state or jurisdiction are affected | 45 CFR § 164.406 |
| Business Associate → CE notification | 60 days from BA discovery | BA must notify CE without unreasonable delay, allowing CE to meet its 60-day window | 45 CFR § 164.410(b) |
| Substitute notice — if contact info is outdated/insufficient | Same 60-day window | Post on website or major print/broadcast media | 45 CFR § 164.404(d) |
Retention HIPAA Records Retention Periods
| Document Type | Retention Period | Start Date | Citation |
|---|---|---|---|
| HIPAA policies and procedures | 6 years | From date of creation or last effective date, whichever is later | 45 CFR § 164.530(j) |
| Notice of Privacy Practices | 6 years | From date of creation or last effective date | 45 CFR § 164.520(e) |
| NPP patient acknowledgment | 6 years | From date of signature | 45 CFR § 164.520(e) |
| Business Associate Agreements | 6 years | From date of creation or last effective date | 45 CFR § 164.530(j) |
| Security Risk Analysis and Risk Management documents | 6 years | From date of creation or last effective date | 45 CFR § 164.316(b) |
| Breach log and breach investigation records | 6 years | From date of breach or investigation | 45 CFR § 164.530(j) |
| Workforce training records | 6 years | From date of training | 45 CFR § 164.530(j) |
| Sanctions documentation | 6 years | From date of sanction | 45 CFR § 164.530(j) |
| Complaint records | 6 years | From date of complaint | 45 CFR § 164.530(j) |
| Authorization forms | 6 years | From date of signature | 45 CFR § 164.530(j) |
Note: Patient medical records retention (vs. HIPAA compliance records) is governed by state law and is typically longer — often 7–10 years for adults, until age of majority plus for minors.
Annual Annual Compliance Tasks
| Task | Frequency | Best Practice Timing | Citation / Basis |
|---|---|---|---|
| Security Risk Analysis | At least annually and when significant changes occur | Q1 of each year; also after major system changes, acquisitions, or new software | 45 CFR § 164.308(a)(1) |
| Workforce HIPAA training | At hire and periodically thereafter (no prescribed interval) | Annual refresher training; immediately for new hires | 45 CFR § 164.530(b) |
| BAA review and update | When business arrangements change; no prescribed renewal period | Annual audit of all active BAAs; update on contract renewal | 45 CFR § 164.504(e) |
| NPP review for material changes | When material changes to privacy practices occur | Annual review; update when laws change or new services added | 45 CFR § 164.520(b)(3) |
| Contingency plan testing | Periodically (no prescribed interval) | Annual tabletop exercise; annual data recovery test | 45 CFR § 164.308(a)(7) |
| Access control review | Periodically (no prescribed interval) | Quarterly user access review; immediate review on employee termination | 45 CFR § 164.312(a)(1) |
| Audit log review | Periodically (no prescribed interval) | Monthly review of audit logs for anomalies | 45 CFR § 164.312(b) |
| Sanction policy enforcement review | Ongoing | Annual policy review; enforce immediately when violations occur | 45 CFR § 164.530(e) |
Key Penalty Statute of Limitations
| Violation Type | Statute of Limitations | Citation |
|---|---|---|
| Civil money penalties — OCR enforcement | 6 years from the date the violation occurred (not from discovery) | 45 CFR § 160.306(c) |
| Criminal HIPAA violations | 5 years (general federal criminal statute of limitations) | 18 U.S.C. § 3282 |
Ready to get your compliance documents in order?
Knowing the deadlines is step one. Having the actual documents — BAAs and an NPP — is what keeps you protected when OCR comes knocking.