Do you need to retain PHI after termination of a contract?
There are several different answers to this question, based on the type of services you provide and the reasons why you have access to PHI. But if your organization is considered a Covered Entity, Business Associate, or Business Associate Subcontractor under HIPAA, you are required to retain all PHI you have processed, stored, or transmitted. In these cases, secure PHI retention is absolutely necessary.
Per the HIPAA Security Rule, all records containing PHI must be held for a minimum of six years.¹ However, some state laws and other federal regulations have different length requirements regarding PHI retention.²
The Centers for Medicare & Medicaid Services (CMS) requires that hospitals keep their records for five years at a minimum, with a six year PHI retention requirement for critical access hospitals.³ On the other hand, The Occupational Safety and Health Administration (OSHA) requires employers to retain employee exposure and medical records for 30 years.⁴ If your organization is subject to multiple regulations, you should comply with whatever record retention requirement is the most stringent.
For physicians, different states have different rules on how long you should save records, and the lengths of time vary pretty widely. Some states require PHI retention of patient records for seven years, while the California Medical Association recommends that physicians retain records for 10 years after the date the patient was last seen.⁵ When storing so many records for an extended period of time, there is a lot of potential for HIPAA violations!
So, if you’re a physician practice, what do you do? It appears that most recommendations say 10 years are sufficient, unless you identify a reason to retain the records longer. Whatever you do, make sure you have proper security measures in place to protect the records indefinitely, and consult with your legal counsel on their recommendations.
How long should insurance agents hold on to PHI after termination of a contract?
Nearly every state department of insurance requires entities (such as agents) who are under their regulation to maintain their records for 5-7 years. Consult your local laws and check with your state department to determine what PHI retention requirements you must comply with, since each regulatory body has different regulations.
How long should BAs and Subcontractors retain PHI after termination of a contract?
This is where this whole blog began. We had a client who was storing records for physician practices and wanted to know if they needed to maintain the data after termination of the contract. The answer to this is no. HIPAA PHI retention requirements apply only to physician practices.
The BA Subcontractor would be required to return the information to the physician practice upon termination of the contract. We recommend a 30-day time limit for returning the information. After 30 days, the BA or Subcontractor needs to sanitize this information properly. This means shredding any physical records and overwriting all data. Just deleting isn’t good enough. Securely overwrite that data with 1’s and 0’s! If that information were to be breached after termination of the contract, you would have a huge issue on your hands!
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.
Want to know more about how you can become HIPAA compliant?
Email us at firstname.lastname@example.org to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.