If you are a startup servicing the healthcare vertical and your customers (HIPAA Covered-Entities like hospitals and health plans) designate you as a Business Associate, this article is for you. Perhaps you process and store a little or a lot of Protected Health Information (PHI) on their behalf. You have signed a Business Associate Agreement (BAA), read the HIPAA Security Rule (tried and then quit reading the Privacy Rule) and maybe your product managers and engineers have also gone through it and implemented it to the best of your ability. Maybe you even hired an external HIPAA auditor to assess your organization. Well surprise! It's not over yet. BTW – check out our HIPAA primer for Healthcare startups.
Fair warning –I'm not going to promise that this is going to be an exciting article, but I can make a bold claim that this is the least boring this subject gets :).
State Medical Record Laws: Minimum Medical Record Retention
HIPAA / HITECH requires compliance related information to be retained for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later. This is covered in CFR §164.316(b)(1) and (2), which states Covered Entities must maintain the policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment.
This rule is sometimes confused with the retention of medical records data. So here goes, HIPAA does not stipulate a medical records retention period. However, each state may have its own laws governing the retention of medical records. HIPAA pre-empts state laws in many places, but not when it comes to a medical record retention period. In some cases (state by state) the laws are different for individual doctors vs hospitals. For example, hospitals in New York state are required to keep medical records for 6 years from the date of discharge. Minor patient records are required to be kept 6 years from the date of discharge or 3 years after the patient reaches 18 years of age (whichever is longer). Records for deceased patients must be kept for 6 years after death. Now, as a healthcare startup, you may not actually be the primary or authoritative system of record for most medical records (unless your product is a SaaS-based EMR or something similar). However, it is very possible that your product is generating and storing new PHI as part of your interaction with a patient, their physician, or their health plan. If that is the case, and you are the only entity maintaining this data, you may be obligated to comply with the state medical records retention rule. This is something that should be clarified with your Covered Entity customers so everyone's on the same page with respect to who's on the hook for retaining medical record data.
Centers for Medicare & Medicaid Services (CMS)
Staying on the topic of medical records retention, CMS requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years (42 CFR) 482.24[b] ). CMS also requires Medicare managed care program providers to retain patient medical records for 10 years (see 42 CFR 422.504 (d)(2)(iii)). I bet this is getting a little confusing. "What does this all mean and does it even apply to me?", you ask.
You as a healthcare startup may not be a Medicare managed care program participant, but remember how HIPAA / HITECH obligations are daisy-chained by designating vendors (that's you) as Business Associates and assigning them similar PHI privacy and security obligations? Yup, the same may apply to you if you are classified as an FDR (First Tier, Downstream and Related) entity by your Covered-Entity customer (e.g. a private practice, hospital. or health plan). As to why you are classified as an FDR is out of scope for this particular article, but in simple terms, this means that the services you are providing are deemed to be significant enough to warrant some federal oversight.
Medical records retention requirements is only one part of CMS FDR compliance. Other requirements include an organization-wide compliance program involving Fraud, Waste, and Abuse training (CMS is keen on reducing fraudulent billing), OIG/GSA Exclusion monitoring (these exclusion lists contain folks who can no longer do business with the federal government), responding to CMS-generated fraud alerts, and more.
State Breach Notification Laws
No one likes to think about the scary "B" word. However, it helps to have an incident response policy and plan which covers breach detection, investigation, and response (including notification). All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. You may remember that HIPAA has its own Breach Notification Rule. The good news is that, if most or all of the personal data you process / store is covered under the HIPAA Breach Notification Rule, it is likely exempt from most rules under state laws (with exceptions). Although, the nuances of these laws may vary from state to state, it is likely that that personal data which is not considered PHI under HIPAA is actually covered under state law. So, healthcare startups in the personal fitness apps and wearables spaces, who are not required to be HIPAA compliant, are likely affected by state level laws.
As an example, the NY state breach notification law (Section 899-AA) largely exempts breaches already covered under the federal HIPAA statutes, but still requires notices to the state attorney general, the department of state and the division of state police.
California Consumer Privacy Act (CCPA)
Some states have decided to take privacy seriously (up to eleven) and have enacted privacy regulation which goes beyond the requirement of a data breach notification. The state of California has enacted state level privacy regulations called CCPA. CCPA is modeled after the European privacy regulation, GDPR, which has far reaching consequences for companies handling data belonging to European constituents. CCPA, similarly, applies to data belonging to California residents. It has been in a bit of a state of flux –mildly put– ever since it was hastily passed in 2018 with numerous amendments and clarifications added since then. This process is ongoing and the regulation is likely to change again this November 3rd, 2020. However, in its current state the law defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” As you can see, this definition is fairly broad.
The good news first – data regulated under HIPAA (i.e. PHI) is exempt of further regulation under CCPA with the caveat that it is maintained properly as per HIPAA.
The bad news – a conservative reading suggests that this exemption does not cover a host of other data generated as a by-product of running an early or growth stage startup. For example, marketing data, analytics data from mobile apps, and customer service or call center data (the part that is not also PHI). This can also include website "cookies," IP addresses collected from an organization's website, mobile device IDs, recorded phone calls, and email addresses. The definition of of "personal information" under CCPA is so broad that it is likely that if you maintain data on California residents (and also match the other CCPA criteria) you will have to comply with CCPA for a subset of your practices pertaining to your non-PHI data.
Compliance with CCPA is all about individual consumer rights. This means that businesses will have to implement practices which allow the California consumers to exercise their CCPA rights (among other things), namely:
Receive notification about information collected and the purpose of use
Obtain disclosures about their personal information
Require deletion of personal information
Opt out of the sale of personal information
Opt-n for children’s personal information
If you have read through this article and are experiencing compliance related existential dread, Overseer Security can help. Drop us a message at firstname.lastname@example.org.
State Medical Record Laws: Minimum Medical Record Retention (Health IT Gov): https://www.healthit.gov/sites/default/files/appa7-1.pdf
CMS ARA 42 CFR 422.504 (d)(2)(iii): https://www.gpo.gov/fdsys/pkg/CFR-2006-title42-vol3/pdf/CFR-2006-title42-vol3-sec422-504.pdf
PAMEDSOC Medical Record Retention: What You Need to Know: https://www.pamedsoc.org/detail/article/Medical-Record-Retention
HIPAA Compliance Documentation Retention: https://www.law.cornell.edu/cfr/text/45/164.316
The Doctors: Medical Record Retention: https://www.thedoctors.com/articles/medical-record-retention/
CMS Learning Resources: https://www.cms.gov/Medicare/Medicare-Contracting/ContractorLearningResources/Downloads/JA1022.pdf
NY State Law: Notification; person without valid authorization has acquired private information: https://www.nysenate.gov/legislation/laws/GBS/899-AA
The contents of this document are intended to convey general information and not to provide legal services or opinions. The information on this document may not reflect the most current statutes, regulations or legal developments. An attorney should be contacted for advice on specific legal issues.