20 time-saving tips
Download 20 quick tips to help you spend less time on admin and more time helping your clients!

Practice management

Managing Hushmail client records during retirement and beyond

Retiring? Prep your Hushmail account for future record requests. Take these simple steps for compliance and peace of mind.

You’ve meticulously organized your practice's closure and you're ready to embark on a new chapter!

But your inbox gets a surprise notification as you’re about to leave for your dream vacation, ready to unwind after years or decades of work in your practice.

A client from years ago needs medical records for a legal case, but your practice is no longer operational.

How do you deal with this?

You've come to the right place!

Managing client information and ensuring compliance is crucial in healthcare, even beyond active practice.

This blog post dives into the importance of managing your Hushmail for Healthcare account when you're anticipating retirement.

We'll delve into options so you can continue having access to your records while safeguarding client privacy, and complying with regulations, even when you're no longer actively practicing.

What happens to your Hushmail for Healthcare account when you close your practice?

Hushmail for Healthcare has a built-in email archive that automatically records all emails sent and received. This supports your practice’s HIPAA compliance and is essential in case of audits or other legal matters.

But here's the caveat:

"Our Privacy Policy specifies that you cannot recover your email after a certain period of closing an account. If a customer is not proactively thinking about it, all the records will be gone."

Stephanie Milne
Sales Manager at Hushmail

What if more than a year has passed, and you get an email from a former client asking for snippets of your email communication from a few years ago for a legal case?  Are you legally required to store and share client communication with a client or entity if there's a lawful request?

To answer these questions, let's look at two important terms: medical records and HIPAA-related documents.

Medical records

HIPAA’s Privacy Rule doesn't dictate retention periods for medical records themselves. However, other laws and regulations might require keeping them for specific durations. Each state has its own laws setting these timeframes, which can vary depending on the provider type and client age.

Here are some examples of state laws for different provider types and client ages:

  • California: Hospitals must keep adult patient records for 7 years after the last discharge. For minors, records are kept for 7 years after discharge or 1 year after turning 18, whichever is longer.
  • New York: All medical records: 6 years minimum, but obstetric and pediatric records until the child turns 21.
  • Texas: Physicians: 7 years. Hospitals: 10 years, or until the patient turns 20, if they were a minor when the records were created.
  • Nevada: Adults: 5 years. Minors: Until the patient turns 23.
  • North Carolina: Hospitals: 11 years after discharge or until a minor patient turns 30.
Recommended resource: Summary of medical retention records by state

These are just a few examples, and laws can vary significantly. The American Academy of Pediatrics recommendation when it comes to medical record retention is an excellent reminder, even for practices outside of pediatrics:

"Records retention is a challenging issue. There is no "bright line" consistent with federal and state law, which establishes how long medical records must be maintained in every case. Instead, a practice must try to piece together a patchwork of statutes, regulations, case law and State Medical Board position statements."

American Academy of Pediatrics

HIPAA-related documents

HIPAA has retention requirements for documents related to compliance and privacy, such as policies, security assessments, and complaints. These documents need to be kept for six years.  You can find this requirement in HIPAA’s Security Rule (which is different from HIPAA’s Privacy Rule):

"A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments."

HIPAA’s Security Rule

Steve Youngman, Hushmail's VP of Finance and Legal, recommends keeping these documents for seven years instead of six:

"HIPAA requires a minimum of 6 years for these documents, but you should do 7 to ensure you have a margin of error."

Steve Youngman,
VP of Finance and Legal at Hushmail

It's important to remember that the six-year duration is the minimum retention period for mandatory documentation under the Security Rule. Depending on state laws, accreditation organization requirements, or other business justifications, you may be required to keep them longer.

Examples of HIPAA-related Documents to be retained for at least 6 years

HIPAA-related document
What it’s for
1. Notices of privacy practices Inform clients about their privacy rights.
2. Patient authorizations  Grant permission to share a client’s protected health information (PHI).
3. Risk assessments and analyses Identify security risks and potential vulnerabilities in your practice.
4. Disaster recovery and contingency plans Outline how your practice will respond to emergencies and maintain HIPAA compliance.
5. Business associate agreements Contracts with third-party vendors who have access to PHI to outline their responsibilities in protecting PHI.
6. Information security and privacy policies Describe how your practice handles PHI.
7. Employee sanction policies Outline consequences for employees violating HIPAA rules.
8. Incident and breach notification documentation Records of security incidents or data breaches involving PHI.
9. Complaint and resolution documentation Records of client complaints and your responses to these complaints.
10. Physical security maintenance records Documents showing how physical security measures are maintained.
11. Access logs Records of who accessed PHI and when they were accessed.
12. IT security system reviews Ensure IT systems meet HIPAA security standards.

The list above may change over time, so always check with your legal counsel to ensure you understand the specific retention requirements for all types of client communication and records you maintain in your practice.

Recommended reading: HIPAA Privacy Rule vs. HIPAA Security Rule

How to prepare your practice for requests asking for client communication or HIPAA-related files after retirement

As we mentioned earlier in this article, you may need to retain client communication and HIPAA-related files for at least six years (HIPAA Security Rule) or potentially longer (based on state laws).

You have two options to explore to help you adhere to records retention requirements by HIPAA, state laws, health plans, health and safety codes, and other government bodies.

Option 1: Migrate your email data to another storage solution

You can move your emails to another provider, but this can be difficult due to the following:

  • Technical complexity: If you’re not very tech-savvy, you may struggle with the technical aspects of transferring data.
  • HIPAA compliance: You must ensure your new storage meets HIPAA regulations. 
  • Cost:  Records storage might incur additional fees.

"To save your (Hushmail) records, you must add your Hushmail account to a third-party email app, make an offline version, download the records, and store them in a HIPAA-compliant way. You still end up spending money and going through a lot of hassle. Plus, most of the time, people who leave Hushmail for other services don't get help from the new service to migrate their email."

Stephanie Milne
Sales Manager at Hushmail

Option 2: Maintain a dormant Hushmail account

Maintaining a dormant Hushmail account is a simpler and potentially cost-effective option.

No one is actively using it when it's in a dormant state, but it remains accessible in case of an audit or when a client, another company, or a court has the legal right to request access to those records.

Here are some of its benefits:

  • Secure storage: Hushmail accounts are stored securely by design.
  • HIPAA compliance: Hushmail pre-configures accounts for HIPAA compliance.
  • Cost-effective: Dormant accounts may be cheaper than active ones (depending on the storage required).

👉 Important note: You must proactively plan to downgrade your Hushmail account to a dormant state to avoid deletion.

Put a solid plan in place today

Before officially closing shop and embracing retirement, remember that legal requests or audits can arise years later, requiring access to client communication and related information.

While migrating your records to another platform is an option, it can be technically complex, expensive, and potentially non-compliant. Thankfully, Hushmail offers a simpler, more secure, and potentially more cost-effective solution: a dormant Hushmail account.

💡 Think of it like a safety deposit box for your records. It remains secure, HIPAA-compliant, and readily accessible when needed, all at a potentially lower cost than an active account.

Don't wait until it's too late. Submit the following form to discuss a dormant Hushmail account with our Sales team. They will contact you with more information:

Form CTA



Similar posts