Blog

Data Retention Basics: Understanding your Requirements and Best Practices for Policy Development
November 11, 2021

With all the recent high profile data breaches and the risks associated with retaining significant amounts of Protected Health Information (PHI), it can be tempting for organizations to want to gravitate towards dramatically reducing the amount of data retained. However, before doing a significant purge of data, there are several regulatory and risk management considerations to take into account. These considerations include HIPAA or State retention requirements, record maintenance requirements for Centers for Medicare and Medicaid Services (CMS), and record access for potential litigation, just to name a few.


With so many factors to monitor, effective data management can seem like an impossible task. Below are a few recommendations to assess your current data retention procedures and to help implement best practices going forward:

  • Identify the Data You’re Currently Collecting and Storing: Before trying to implement any new data retention policies, you should first create an inventory of all known data repositories and classify the type of the data being stored, particularly if it does or could contain any PHI.
  • Understand your Risks, Obligations and Business Needs: Make sure you have a comprehensive understanding of any regulatory requirements, client obligations, and legal requirements and ensure your Legal department and Privacy Officer are consulted as part of the development of your Data Retention Policy. In addition to any legal obligations, you should also engage Business Process Owners within your organization to understand the operational needs associated with historical data.
  • Don’t Start from Scratch: There are many great examples of Data Retention Policies and Guidelines shared publicly, such as this one from Wikipedia, that can provide a starting point as you develop your organization’s policy. Don’t be afraid to reach out to your system partners (including any legacy systems containing PHI) for guidance on how to leverage their tools as part of your data management strategy. At Picis we offer data management services and flexible read-only options for case records to help our clients manage and meet their retention requirements.
  • Create Simple and Easy to Follow Guidance: Particularly for larger organizations, there will likely be many disparate systems and process owners with data maintenance and deletion responsibilities in accordance with your Data Retention Policy. Creating straightforward guidance, such as Document Retention Checklists can help to streamline the process and ensure consistent application of the policy.

  • The bottom line is that establishing data management and retention policies for your organization doesn’t have to be complicated. Implementing these policies will allow your organization to balance business needs and statutory retention requirements with privacy considerations and the ever-increasing security risk associated with data breaches.

    - Heather Kreker, Vice President of Customer Support