Know When to Hold ’em: The Legal Considerations for Healthcare Information Technology Data Retention and Purging

The following is a guest blog post by Justin Campbell, Vice President, Strategy, at Galen Healthcare Solutions.

Purging Guidelines & Criteria

HIPAA privacy rules do not address medical record retention requirements, and the guidelines from several states and the federal government are ambiguous at best. Healthcare organizations considering a purge of their archived data soon realize that errors made determining what should be retained and what can be purged may leave them with considerable legal risk. The variation in retention mandates has driven many organizations to individualize their purging policies, with some preferring to keep every patient record in perpetuity, and others following a purging strategy based on defined criteria. Those purging guidelines typically include date of last service, date of discharge, date of birth, and document or data type. But not always. Some may include RAC audit, clinical research or legal hold. In short, it’s not very clear.

Guidance from AHIMA  on Retention and Destruction of Health Information

A provider or organization that destroys patient health information must do so and be carried out in accordance with federal and state law pursuant to a proper written retention schedule and destruction policy approved by appropriate organizational parties.

As with record retention, there is no single standard destruction requirement. Some states require organizations to create an abstract of the destroyed patient information, notify patients when destroying patient information, or specify the method of destruction used to render the information unreadable. Organizations should reassess the method of destruction annually based on current technology, accepted practices, and availability of timely and cost-effective destruction services.

The Urge to Purge

Patient records can certainly be maintained in perpetuity, but this storage strategy can be costly. A more thoughtful approach to data archiving is to calculate the rate at which patient records may be purged from an archive in order to establish a cost baseline and potential return-on-investment. Some organizations take a conservative approach and maintain PHI indefinitely. Others interpret exactly how long they are required to retain PHI and, at the end of that defined period, purge the data. Certainly, risk management departments will want the data purged as soon as legally possible, as the legacy data is perceived as a liability and risk for the organization.

Most healthcare data archiving solutions offer functionality to ensure that retired data is secured and retained for the period specified by relevant regulation and organizational policy. A policy engine enforces retention policies assigned to the archived data and can automatically purge the data when the retention period expires so that it’s not retained beyond a period of time that would pose a legal risk. Legal hold resources are also available to ensure that data relevant to a legal case is retained even if the retention period has expired.

The Term “Patient Record” Implies an Atomic Quality to Patient Data

Some organizations treat EMR systems as completely isolated repositories of information, and they start the retention clock ticking when activity in the EMR ceases. For example, when an organization migrates from one EMR to another, the activity in the legacy EMR winds down fairly rapidly. It’s common for that system to be put in a read-only mode within weeks or months, and eventually that system’s data may be moved into an archival solution.

In order to realize cost benefit and avert risk if a patient’s record hasn’t been retained beyond a period of time that would pose legal peril, organizations often purge data within a record based on the age of the data itself. For example, a patient’s record may have visit notes or other data points recorded decades ago. An organization may view this data as outside the retention window despite the fact that the patient may have activity that’s much more recent. But, while individual pieces of documentation may be far older than retention requirements indicate, it’s not the age of the documentation that starts the clock. It’s the most recent activity for the patient that matters.

This is further complicated by the fact that data within a typical EMR has complex relationships. A visit entry may refer to a historical problem assessment, which may itself be referenced by discharge summaries. It is often not possible to delete an individual piece of documentation because of downstream dependencies in the system, causing unintended issues and potentially cascading deletions. While this scenario may have been common in the world of paper documents, an EMR is usually not structured to allow for selective purging of pieces of clinical documentation, with most only offering the ability to mark the information as “Entered in Error.”

Varying Interpretations of Retention Duration Can Put Organizations at Legal Peril

An organization may mistakenly “start the clock” for data within that system by looking at activity only within the legacy system itself. Since that system is read-only or archived, there will of course be no new encounters or data entries. This does not mean, however, that the patient hasn’t been seen in the go-forward EMR. Instead, organizations must use a global EMPI to track activity throughout all systems to accurately know when a patient’s records can be purged without risk.

To lose or destroy data after litigation is reasonably anticipated and/or commenced can lead to dire consequences. Courts can, and do, punish parties, including healthcare providers, that engage in intentional or negligent spoliation of evidence, the legal term for the loss, alteration, withholding, or destruction of documents or other relevant information. Sanctions for spoliation may include payment of the other party’s attorneys’ fees and costs, dismissal of defenses or claims, and/or jury instructions that damage a defense.

Download the full whitepaper, Legal Considerations for Healthcare Data Archiving, which covers the many legal considerations to evaluate when navigating the complex data structure and data sets, legal and compliance requirements, and continuity of care requirements that characterize effective healthcare legacy application retirement.

About Justin Campbell
Justin is Vice President, Strategy, at Galen Healthcare Solutions. He is responsible for market intelligence, segmentation, business and market development and competitive strategy. Justin has been consulting in Health IT for over 12 years, guiding clients in the implementation, integration and optimization of clinical systems. He has been on the front lines of system replacement and data migration, and is passionate about advancing interoperability in healthcare and harnessing analytical insights to realize improvements in patient care. Justin can be found on Twitter at @TJustinCampbell and LinkedIn.

About Galen Healthcare Solutions
Galen Healthcare Solutions is an award-winning, KLAS-ranked healthcare IT technical and professional services and solutions company providing high-skilled, cross-platform expertise and proud sponsor of the Healthcare Data Archiving Series. For over a decade, Galen has partnered with specialty practices, hospitals, health information exchanges, health systems and integrated delivery networks to provide data conversion and archival solutions. Galen has competed over 500 successful data conversion & archiving projects and has experience with over 100 unique systems. Their archiving solution, VitalCenter Online, was recognized by KLAS in their inaugural report, Legacy Data Archiving 2019 A First Look at a Changing Market, for the accuracy and accessibility of its data and for its industry-leading commitment to customer experience. The report showed that “Galen has the highest percentage of customers who report high satisfaction” with a tool that is “exceptionally easy to use” for keeping patient data in context. For more information, visit Connect with us on TwitterFacebook and LinkedIn.