HIPAA Data Retention & Backup [Requirements & Compliance]
How long should you retain medical records? It can vary and, while there are no set HIPAA requirements for HIPAA data retention, there are policies you must follow.
For example, while email archiving is not required by HIPAA’s Security Rule, healthcare providers still need to keep communications, including emails, that contain PHI for a minimum of six years. During which time, those records cannot be altered or deleted.
What is HIPAA and the Privacy Rule?
The Health Insurance Portability and Accountability Act (HIPAA) covers patient information accountability across various healthcare providers and insurance companies. The letter of the law organizes HIPAA and regulations contained therein into three distinct rules:
- The Privacy Rule, which defines Protected Health Information (PHI) and the responsibilities of Covered Entities (CEs) and Business Associates (BAs) have in controlling secure content access.
- The Security Rule outlines the minimum effective security measures that CEs and BAs have when securing data, including physical, administrative, and technical safeguards.
- The Breach Notification Rule, which dictates how a CE or BA must notify affected patients and the public more broadly in the event of a data breach.
In terms of protecting medical record storage and data retention, CEs and BAs must adhere to both the Privacy and Security Rules. The Privacy Rule, however, specifically details the requirements for both retaining and destroying PHI.
It is important to note that the time periods specified in the Privacy Rule only address non-medical records (emails, communications, and so on). Instead, medical record retention is outlined by individual states.
What are the HIPAA Data Retention Requirements for Covered Entities?
Under HIPAA regulations, CEs and BAs must retain medical records for a period of no fewer than six years from the date of creation or the last effective date, whichever is later.
This regulatory standard only applies to specific documents, including:
- The written or electronic record that designates the organization either a CE or a BA.
- All documentation of security and privacy procedures that demonstrate HIPAA compliance.
- HIPAA-required assessment documentation.
- Data use agreements and other forms required by HIPAA compliance.
- Signed authorizations provided by patients allowing CEs or BAs to disclose PHI or documentation of efforts to receive those authorizations.
- Notice of Privacy Practices.
- Medical and billing records for patients.
- Documentation of HIPAA compliance officers and any other individuals in the organization responsible for maintaining compliance. This includes names, titles, and contact information.
- Accounting of any disclosures of any PHI.
Note individual states have their own retention laws that preempt HIPAA.
These data retention requirements are the same for both Covered Entities and Business Associates. Security standards for the storage of data under HIPAA are still the same for long-term data storage, so check with your provider or IT staff to determine your HIPAA compliance.
While online backup isn’t required under HIPAA, HITECH encourages it.
What are HIPAA Compliant Record Disposal Methods?
Data protection requirements don’t end when CEs and BAs dispose of medical records.
This is because:
- Disposed data storage devices can be recovered, thus disclosing PHI illegally.
- Improperly wiped or erased data storage media can still retain PHI that can be illegally accessed.
HIPAA outlines specific methods for medical record disposal that comply with HIPAA data retention regulations:
- Any paper records must be either burned, shredded, pulled, or pulverized so that any PHI is rendered unreadable.
- Prescription bottles containing labels with PHI must be properly destroyed, usually through a third-party BA that can destroy physical objects.
- Electronic media must be cleared or wiped using special software that removes data. Electronic media can also be physically destroyed through pulverizing or rendered unreadable through degaussing.
Top HIPAA-Compliant Cloud Storage Providers
| Provider | Standing BAA? | Compliant Storage Service | Cloud Deployment |
|---|---|---|---|
| Accellion | Yes | Cloud storage, email servers, secure file transfer, integrated productivity tools | Private, Hybrid |
| Yes | Cloud storage, email servers, productivity tools | Public, Virtual Private Cloud | |
| Box | Yes | Cloud storage, secure data transfer | Private, Hybrid |
| Microsoft Cloud for Healthcare | Yes | Cloud storage, email servers, secure data transfer, productivity tools | Public, Private, Hybrid |
| Amazon | Yes | Cloud storage | Public, Private, Hybrid |
| ShareFile | Yes | Cloud storage | Public |
Google is a relative newcomer to the healthcare space, and their familiar suite of tools (Drive, Office) can fit into a healthcare context. These tools work well for productivity, and you’ll get a lot of storage space for data retention. However, Google isn’t as established as other providers and their products don’t speak to all the specific needs of healthcare providers.
Box
Box is an established, HIPAA compliant storage provider for healthcare data. An experienced provider of cloud products and shared file services, Box gives you a simple way to protect and store medical records, but doesn’t offer any of the other services that healthcare providers find useful.
Microsoft
Microsoft is a leading provider of healthcare services, including HIPAA compliant storage. They can be quite pricey, though, as CEs and BAs using the platform must also sign up for the extended family of Microsoft products like Azure and Office 365.
Amazon
Amazon AWS is another relative newcomer to the healthcare landscape. While AWS gives users lots of services(including SaaS, IaaS, and PaaS) these may be more than many CEs need.
ShareFile
ShareFile excels at storing data in the cloud in compliance with most data privacy regulations. Providers looking for more from their HIPAA data retention solution might find ShareFile a bit limiting, as it doesn’t include many of the additional features like email or analytics that other providers do.
Accellion HIPAA Compliant Data Storage and Retention
The Accellion Kiteworks® content firewall provides hospitals, clinics, Integrated Delivery Networks, and insurance companies with enterprise-grade file sharing capabilities that give them 100% control over their medical records and other PHI. To do that, we focus on three priorities:
- Security: All Accellion products, including cloud storage and file transfer, are covered by HIPAA-compliant encryption and security protocols so that data, whether it’s at rest or in transit, is protected. You also get secure content access that lets you share PHI from your data repositories to consulting physicians, insurance companies, patients and other third parties.
- Compliance: From technical measures to physical and administrative safeguards, Accellion helps CEs and BAs demonstrate compliance with HIPAA, GDPR, CCPA and other data privacy regulations. We also support CEs and BAs that want to ensure that they are compliant with data storage requirements.
- Visibility: Accellion lets security and GRC personnel see, follow, and record who sends what file to whom. Visibility of all file activity lets CEs and BAs control who accesses PHI and demonstrate compliance with HIPAA.
Learn More About Accellion Kiteworks
Working with Accellion gives you more than compliant HIPAA data retention and backup. We are a partner that can help answer all your questions about file security and protection no matter where it is. We can also help you map out your governance plans so that your HIPAA data retention and disposal requirements are sustainable.
Access our HIPAA Compliance Guide to learn how Accellion keeps you HIPAA compliant. Likewise, learn more about Accellion’s HIPAA-compliant Hybrid Cloud Deployment.
*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard – Accellion authored by Bob Ertl. Read the original post at: https://www.accellion.com/hipaa-compliance/hipaa-compliant-data-retention/
