What You Need to Know for Retention Compliance

One of the things I love about helping all my Compliance Helper (CH) clients with their information security and privacy compliance activities is that they often ask questions that most other small and mid-size organizations also have. So, I then have a great opportunity to share advice!  One of my recent conversations dealt with the challenges my mid-size client was having in trying to appropriately customize the data and records retention policy and procedure I provide through the CH service to fit his organization’s unique type of business associate service, while also meet compliance with the HIPAA retention requirements. The paraphrased questions below started our conversation after I advised that there are many types of documents that must be retained for at least 6 years to meet compliance:

It would be cost prohibitive to keep all data 6 years.  However, if we had a way to flag just the data and records we needed to keep, we could create a backup policy that would retain those items for the prescribed 6 years.  However, we’re not sure how this would work.  This also would only be as good as the person flagging the documents and records as those needing to be retained.  Do you have any recommendations?

What HIPAA requires

Generally, covered entities (CEs) and business associates (BAs) must retain the following documentation for at least six years from the date of its creation or the date when it last was in effect, whichever is later.

  • A written or electronic record of a designation of an organization as a CE (e.g., health plan, affiliated covered entity, etc.) or BA.
  • Information security and privacy policies and procedures implemented to comply with HIPAA.
  • All documented settings, activities and assessments required by HIPAA.
  • All data use agreements and other forms supporting HIPAA compliance.
  • All signed authorizations and, where applicable, written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgments.
  • The Notice of Privacy Practices for entities that must provide them.
  • Designated record sets that are subject to access by individuals.
  • Documentation of the titles of the persons or offices responsible for HIPAA compliance, including not only those with over-all responsibility for compliance, but also those responsible for receiving and processing requests for amendments by individuals, and those responsible for receiving and processing requests for an accounting by individuals.
  • Accounting of disclosures of protected health information (PHI).

In addition to knowing what HIPAA requires for retention, CEs and BAs must also know their other legal requirements for retention, from state, federal, international and contractual requirements. For example, Connecticut medical records law requires that medical records, some of which go beyond HIPAA’s definition of PHI, be maintained for 7 years.

Compliance recommendations

Over the years I’ve found the following high-level action plan to be effective in addressing retention requirements:

  1. Assign someone overall responsibility for ensuring records/information is retained the appropriate amount of time.
  2. Create an inventory of the locations of all applicable records. Many organizations use data loss prevention (DLP) tools to locate these types of records, and then from there back them up appropriately.
  3. Where possible, keep these documents that must be retained for a specific period of time backed up on separate backup media from the other backed-up data.
  4. Use a software tool, such as IBM’s software, to separate out the data that must be retained for HIPAA, and other regulatory, time periods.  

Often, once you have static (you won’t be changing them) records on a backup, you can store that backup somewhere secure, and then delete those records no longer needed from your data bases that you will be modifying as business processing occurs.

Legal requirements for retention

All organizations, not just those who must comply with HIPAA, need to address data and records retention.  The following are just a few examples of regulations and laws that data and records retention requirements you should know about:

I’ve written on this topic several times. Here are a couple of article that may be helpful for you:

Advice from the Department of Health and Human Services (HHS)

To appropriately meet compliance with HIPAA requirements, the HHS provides the following advice with regard to retention:

Bottom line for organizations of all sizes…

Every organization, in all industries, of all sizes, in all locations, needs to

1)    Have an inventory of the information and documents that they collect, process, store and otherwise access for business/healthcare//etc. purposes.

2)    Document the retention requirements for each type of information/document.

3)    Work with their legal counsel to determine the most appropriate retention time for each when more than one legal requirement creates a conflict.

4)    Establish policies, procedures and technical controls to facilitate and support the retention requirements.


This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.


tumblr visitor

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply