HIPAA/HITECH Etc. Retention: Does Your Reality = Your Requirements?

By Rebecca Herold, Posted 12/29/09    

Last month I had the great pleasure of being a guest on Scott Draughon and Anyck Turgeon's MyTechnologyLawyer.com radio show for a segment entitled, "Is encryption enough to achieve privacy?"

I was pleasantly surprised to see a large number of great follow-up questions following the show!

I covered one of them in my post, "Don't Throw Your Privacy Out The Window; Know How Your PII Is Used" Here are a couple more of those many questions I want to answer in this post...

  • With laws changing all the time, what do you recommend we use for a good data retention and disposal practice? Should it differ between e- and physical records? If so, why?
  • How many years should we keep our business versus customer data for?

Information an data retention are increasingly more important; not only from a regulatory compliance standpoint, but also from a security and privacy standpoint.

Just consider this amazing graph showing the exponential growth of data.

This is an amazing *ACCUMULATION* of data! It looks like most data is snowballing and being retained...how much is actually being deleted when it is no longer necessary for business purposes? Or, for regulatory and legal purposes?

Most of the companies I speak with say their retention *plan* and retention *reality* are two very different things; most keep data indefinitely...until the storage media deteriorates...and do not actively delete data from backup tapes or archival data storage media.

However, organizations need to start addressing retention issues more proactively. MANY privacy breaches have occurred because of backup tapes, archived data, and data stored...INDEFINITELY...on mobile storage devices being lost, stolen or accessed by unauthorized individuals. Often through such silly activities as selling old computers and storage devices in an attempt to recoup some of the investment cost...and NOT REMOVING THE DATA FIRST!!

Different laws and regulations have different retention requirements for the same types of information. Consider just a few of them:

  • HIPAA/HITECH Act: Requires covered entities (CEs), and now business associates (BAs) under the HITECH Act, must document many things (such as but not limited to: the designation of an affiliated covered entity, business associate or hybrid entity; policies and procedures; authorizations; and several other items that you can see in my book, "The Practical Guide to HIPAA Privacy and Security Compliance," and which I will also list in an upcoming blog post) and retain the documentation for 6 years and as required by any other applicable laws.
  • 21 CFR Part 11: Electronic Records; Electronic Signatures: Audit trail documentation must "be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."
  • Americans with Disabilities Act: Information about persons whose employment was involuntarily terminated must be kept for at least one year from the date of the termination.
  • Social Security Administration (SSA) Records Retention: All SSA financial records and supporting documents must be retained for a period of three years.

A few years ago I wrote about retention requirements in my article, "Records Retention and Security Regulations...Think About it!" It's on my to-do list to put out an updated version of this! Anyone out there want to sponsor it? :)

So, back to the questions...

  • With laws changing all the time, what do you recommend we use for a good data retention and disposal practice? Should it differ between e- and physical records? If so, why?
  • How many years should we keep our business versus customer data for?

Generally speaking, business data must be retained longer to meet audit and government inspection requirements; customer information retained only as long as necessary for the business purposes for which it was collected. There are, of course, exceptions; HIPAA has specific 6-year retention periods.

The FDA provides a great summary statement regarding this in their guidance for 21 CFR Part 11 retention:

"We suggest that your decision on how to maintain records be based on predicate rule requirements and that you base your decision on a justified and documented risk assessment and a determination of the value of the records over time."

Involve your lawyer in determining the laws that should be followed when there are retention conflicts for certain types of information items.

Here's a basic plan to follow:

  • Identify the applicable laws and regulations for your organization; be sure to consider all the laws for all the locations where you have offices, have outsourced vendors, and very importantly, have customers.
  • Map out the retention requirements for each law. Use my "Records Retention and Security Regulations...Think About it!" paper as a starting point.
  • Some of the laws apply to information in all forms, some specifically for electronic data; be sure to document this.
  • Perform a records retention risk assessment.
  • Decide, in partnership with your corporate lawyers, the appropriate retention periods for information items that have differing rentention requirements within different laws applicable to your organization.

All organizations need to have a records management plan and procedure in place for determining the security and privacy requirements of the information they store, and also for determining how long they must retain specific types of information. Archiving systems in which policies can be established is a relatively simple way to comply with the myriad regulations concerning record retention.


Add Your Comments

(not published)