How long should a Covered Entity, Business Associate or Subcontractor hold onto PHI after termination of a contract?
There’s really different answers to this question, based on the type of services you provide and the reason why you have PHI.
Per the HIPAA Security Rule, all records containing e-PHI must be held for a minimum of 6 years. However some state laws and other federal regulations might require that you hold onto PHI longer.
So, after doing some research, there are a few regulatory bodies that do require you to hold on to information for differing time periods. CMS has requirements for hospitals but not for physician practices. Hospitals must keep their records for 5 years at a minimum, but it’s 6 years for critical access hospitals.1 And, OSHA requires employers to retain medical records for 30 years, if the employee has been exposed to a harmful substance or agents.2
For physicians, different states have different rules on how long you should save records and the lengths of time vary pretty widely, too. You have some saying seven years, and the California Medical Association thinks physicians should retain records indefinitely, but then goes on to say, 10 years might be enough. That’s a lot of records for a long time, and a lot of potential for HIPAA violations!
So, if you’re a physician practice what do you do? It appears that most recommendations say 10 years are sufficient, unless you see a reason to retain the records longer. Whatever you do, make sure you have proper security measures in place to protect the records indefinitely, and consult with your legal counsel on their recommendations.
How long should Insurance Agents hold onto PHI after termination of a contract?
Nearly every state Department of Insurance requires entities (such as agents) who are under their regulation to maintain their records for 5-7 years. Again, check your local laws and with your state department to verify this since each regulatory body has different regulations.
How long should BA/Subcontractors hold onto PHI after termination of a contract?
This is where this whole blog began. We had a client who was storing records for physician practices and wanted to know if they needed to maintain the data after termination of the contract. The answer to this is no. The HIPAA storage requirements apply only to the physician practices.
The BA Subcontractor would be required to return the information to the physician practice upon termination of the contract. We recommend that you have a 30-day time limit for returning the information. After 30 days, the BA/Subcontractor needs to sanitize this information properly. This means shredding any physical records, and overwriting all data. Just deleting isn’t good enough. Securely overwrite that data with 1’s and 0’s! If that information were to be breached after the termination of a contract, you would have a huge issue on your hands!
2. 42 CFR § 482.24(b)(1) and 42 CFR § 485.638(c).