Under HIPAA, how many years must covered entities keep records of compliance?

Under HIPAA (Health Insurance Portability and Accountability Act), covered entities are required to maintain records of compliance for a period of six years from the date of the creation of the record or the date when it last was in effect. This requirement applies to all documentation related to HIPAA's privacy, security, and breach notification rules.

This six-year retention period is designed to ensure that covered entities have the necessary documentation available to demonstrate compliance during audits or investigations related to HIPAA. Keeping these records for the full duration also supports the protection of patients' health information and provides a framework for accountability and transparency within healthcare practices.

In contrast, the other timeframes listed—two, four, and ten years—do not align with HIPAA's specific requirements for record retention. These periods may pertain to other regulatory or legal obligations but are not relevant under the HIPAA compliance regulations. Consequently, the six-year requirement stands as the correct answer.