Contrary to what most people think, HIPAA does not define specific rules around data retention for medical records or PHI. Requirements around data retention are defined by state medical boards, not HHS.
HIPAA is more concerned with portability and privacy than long term data retention. Because of that, HIPAA does have requirements for retaining certain data, just not medical records.
When most people think of medical records retention regulations, what they are actually thinking about our state medical board requirements. HIPAA requires that covered entities retain their policies and procedures, as well as assessments. In retaining this data, especially policies, some form of version should be implemented to track dates of changes and authors of changes.
Typically, retaining medical records is prudent for follow-up care, medical-legal reasons, and payment for healthcare services.
Under HIPAA, you don’t have to retain PHI but you should keep records of privacy policies and procedures.