Core Principles for Application Decommissioning and Data Archiving

While we’ve been writing about EMR data archiving since back in 2009 and then again in 2013 and 2014 to name a few, the topic has never been more important than it is today. With many healthcare organizations literally supporting 100s and even 1000s of health IT software, how you handle legacy systems including data archiving is becoming more and more important.

While many things have changed over the last decade, I still see the same two core questions when it comes to application decommissioning and data archiving:

1. Do you want to retain the data as long as possible to improve care or for research purposes?

2. Do you want to purge EMR data as soon as legally possible to avoid liability for old records?

These two will always be at odds and is something every healthcare organization will have to answer for themselves. This is particularly true since the answer to these questions has as much to do about the culture of the organization as it has to do with the correct answer. A research or rural organization prefers retention and accessibility while a more urban organization generally leans towards more risk management and liability avoidance.

While the culture of your organization will influence how you approach legacy health IT systems and application decommissioning, every organization is facing this challenge head on. It’s more a question of whether you’re going to decommission or archive data more often. Plus, even if you want to eventually decommission a product, you’ll often find that archiving the data for legal retention purposes is cheaper than paying exorbitant fees for a software you’re no longer using and the liability risks of limping along software that’s no longer getting updates.

Considering a few core principles will help you in these efforts.

Effective Legacy System Retirement and Data Archiving is Key to Cybersecurity – One of the common causes of breaches in a health system comes from legacy systems. This is no surprise since many legacy systems are forgotten and therefore don’t receive the latest updates, patches, anti-virus, etc to ensure that it’s still secure. Not to mention legacy systems don’t have active users that can identify abnormal behavior. As was pointed out by Justin Campbell, VP of Strategy at Galen Healthcare Solutions, these legacy system HIPAA violations pose a serious risk to an organization’s reputation and can involve millions of dollars of fines from OCR.

Beyond just the legacy system security risk, many data archiving platforms pose another security risk when not managed as a truly production machine. We’ve all seen times where the data is archived to an old server or even a desktop computer as a bunch of PDFs. Is there a worse security risk? Archiving your data to an effective, secure data archive location that’s treated as a production machine is key to your cybersecurity efforts.

Effectively Evaluate Your Accessibility Needs – Most people do a good job evaluating how accessible their retired IT system’s data needs to be from a clinical perspective. If clinical continuity is needed, then the data is often loaded directly into the EHR or is made easily accessible to the clinician through some sort of simple web interface. If clinical continuity is not needed, then other options like cold storage or even static exports of all the data are used for legacy data storage.

While accessibility may not matter from a clinical perspective, you must also evaluate archived data accessibility from an entire organization perspective. A few simple examples include when an ROI request comes to HIM from a patient. Is the data accessible to HIM to be able to appropriately fulfill that ROI request? Does it need to be? How about a legal request as part of e-Discovery in a legal case? Could this data be requested and how easily can be retrieved in an appropriate manner that meets the legal requirements including allotted time frames? Depending on your answers to these questions, cold storage or other static exports may be fine or not. Make sure your archive approach matches your accessibility needs.

Don’t Forget the Metadata – Far too often I’ve seen healthcare organization archive data from a legacy system without the metadata. Doing so puts you at legal risk when you’re required to satisfy an e-Discovery request. As Justin Campbell, VP of Strategy at Galen Healthcare Solutions, shared so well:

Successful healthcare data archiving with minimal risk requires preservation of the legal medical record (as defined by the organization), data sets such as contextual audit trails, referenced data in ancillary systems, data change and version history, and even database metadata. A navigable audit trail is essential if we want to relate the precise sequence of events; this trail provides evidence that justifies and/or explains what actions have occurred.

The most common and vital metadata item forgotten in data archiving is the audit logs. Avoid this pitfall by ensuring your data archiving efforts include the appropriate metadata.

Data Purging Laws Are Complex – Health data is complex and thus efforts to purge health data are complex as well. Plus, knowing when and how to apply the law for data in say an EMR gets complicated really quickly. For example, check out this chart which shows how EMR data could be used in multiple ways across multiple years:

Source: Know When to Hold ’em: The Legal Considerations for Healthcare Information Technology Data Retention and Purging

Based on the chart above, when does the data “expire” and can therefore be legally purged when pieces of a chart are forwarded and used in other events like a future visit? Needless to say, there’s a lot of ways to interpret various retention laws and how long you should retain certain data. Consult an attorney who has a deep understanding of these complexities to make sure you’re archiving and decommissioning health systems legally according to federal and state laws.

Those are a few of the core principles associated with application decommissioning and data archiving. Done right, it can save your organization a lot of time and money that would have otherwise been spent managing legacy applications. Done wrong, you can face a lot of legal scrutiny and cybersecurity issues. No one wants either of those, so take the time to make sure you have a well thought out process and don’t be afraid to ask someone for help who’s been down this road before.

If you want to learn more about these topics, take a minute to download two free whitepapers from a long time Healthcare Scene supporter, Galen Healthcare. The first is called Legal Considerations for Healthcare Data Archiving and covers a lot of the legal challenges associated with legacy systems and health data archiving. The second is called Application Decommissioning: Best Practices for Data Migration and Archiving which shares the survey results and best practices from 70 healthcare CIOs who are dealing with healthcare application decommissioning.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.