Practice management
Managing Hushmail client records during retirement and beyond
You've meticulously organized your practice's closure, and you're ready to embark on a new chapter!
But your inbox gets a surprise notification as you're about to leave for your dream vacation, ready to unwind after years or decades of work in your practice.
A client from years ago needs medical records for a legal case, but your practice is no longer operational.
How do you deal with this?
You've come to the right place!
Managing client information and ensuring compliance is crucial in healthcare, even beyond active practice.
This blog post dives into the importance of managing your Hushmail for Healthcare account when you're anticipating retirement.
We'll review options to ensure you can continue accessing your records while safeguarding client privacy and complying with regulations, even when you're no longer actively practicing.
What happens to your Hushmail for Healthcare account when you close your practice?
Hushmail for Healthcare has a built-in email archive that automatically records all emails sent and received. This supports your practice's HIPAA compliance and is essential in case of audits or other legal matters.
But here's the caveat:
"Our Privacy Policy specifies that you cannot recover your email after a certain period of closing an account. If a customer is not proactively thinking about it, all the records will be gone."
Stephanie Milne
Sales Manager at Hushmail
What if more than a year has passed, and you get an email from a former client asking for snippets of your email communication from a few years ago for a legal case? Are you legally required to store and share client communication with a client or entity if there's a lawful request?
To answer these questions, let's look at two important terms: medical records and HIPAA-related documents.
Medical records
HIPAA's Privacy Rule doesn't dictate retention periods for medical records themselves. However, other laws and regulations may require retaining them for specific periods. Each state has its own laws that set these timeframes, which can vary by provider type and client age.
Here are some examples of state laws for different provider types and client ages:
- California: Hospitals must keep adult patient records for 7 years after the last discharge. For minors, records are kept for 7 years after discharge or 1 year after turning 18, whichever is longer.
- New York: All medical records: 6 years minimum, but obstetric and pediatric records until the child turns 21.
- Texas: Physicians: 7 years. Hospitals: 10 years, or until the patient turns 20, if they were a minor when the records were created.
- Nevada: Adults: 5 years. Minors: Until the patient turns 23.
- North Carolina: Hospitals: 11 years after discharge or until a minor patient turns 30.
These are just a few examples, and laws can vary significantly. The American Academy of Pediatrics recommendation when it comes to medical record retention is an excellent reminder, even for practices outside of pediatrics:
"Records retention is a challenging issue. There is no "bright line" consistent with federal and state law, which establishes how long medical records must be maintained in every case. Instead, a practice must try to piece together a patchwork of statutes, regulations, case law and State Medical Board position statements."
American Academy of Pediatrics
HIPAA-related documents
HIPAA has retention requirements for documents related to compliance and privacy, such as policies, security assessments, and complaints. These documents must be retained for six years. You can find this requirement in HIPAA's Security Rule (which is different from HIPAA's Privacy Rule):
"A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments."
HIPAA's Security Rule
Steve Youngman, Hushmail's VP of Finance and Legal, recommends keeping these documents for seven years instead of six:
"HIPAA requires a minimum of 6 years for these documents, but you should do 7 to ensure you have a margin of error."
Steve Youngman,
VP of Finance and Legal at Hushmail
It's important to remember that the six-year retention period is the minimum required for mandatory documentation under the Security Rule. Depending on state laws, accreditation organization requirements, or other business justifications, you may be required to keep them longer.
Examples of HIPAA-related Documents to be retained for at least 6 years
| HIPAA-related document | What it’s for |
|---|---|
| 1. Notices of privacy practices | Inform clients about their privacy rights. |
| 2. Patient authorizations | Grant permission to share a client's protected health information (PHI). |
| 3. Risk assessments and analyses | Identify security risks and potential vulnerabilities in your practice. |
| 4. Disaster recovery and contingency plans | Outline how your practice will respond to emergencies and maintain HIPAA compliance. |
| 5. Business associate agreements | Contracts with third-party vendors who have access to PHI that outline their responsibilities in protecting PHI. |
| 6. Information security and privacy policies | Describe how your practice handles PHI. |
| 7. Employee sanction policies | Outline consequences for employees violating HIPAA rules. |
| 8. Incident and breach notification documentation | Records of security incidents or data breaches involving PHI. |
| 9. Complaint and resolution documentation | Records of client complaints and your responses to these complaints. |
| 10. Physical security maintenance records | Documents showing how physical security measures are maintained. |
| 11. Access logs | Records of who accessed PHI and when they were accessed. |
| 12. IT security system reviews | Ensure IT systems meet HIPAA security standards. |
The list above may change over time, so always check with your legal counsel to ensure you understand the specific retention requirements for all types of client communication and records you maintain in your practice.
👉 Recommended reading: HIPAA Documentation Requirements for Small Healthcare Practices Made Simple
How to prepare your practice for requests asking for client communication or HIPAA-related files after retirement
As we mentioned earlier in this article, you may need to retain client communication and HIPAA-related files for at least six years (HIPAA Security Rule) or potentially longer (based on state laws).
You have two options to explore to help you adhere to records retention requirements by HIPAA, state laws, health plans, health and safety codes, and other government bodies.
Option 1: Migrate your email data to another storage solution
You can move your emails to another provider, but this can be difficult due to the following:
- Technical complexity: If you're not very tech-savvy, you may struggle with the technical aspects of transferring data.
- HIPAA compliance: Ensure your new storage system meets HIPAA requirements.
- Cost: Record storage may incur additional fees.
"To save your (Hushmail) records, you must add your Hushmail account to a third-party email app, make an offline version, download the records, and store them in a HIPAA-compliant way. You still end up spending money and going through a lot of hassle. Plus, most of the time, people who leave Hushmail for other services don't get help from the new service to migrate their email."
Stephanie Milne
Sales Manager at Hushmail
Option 2: Use a Data Retention plan
Using a Data Retention plan is a simpler and potentially cost-effective option.
The plan keeps your account and records accessible if you need them for an audit or a legal request, even if you're no longer actively practicing.
Here are some of its benefits:
- Secure storage: Your records are securely stored.
- HIPAA compliance: The Data Retention plan helps you stay compliant.
- Cost-effective: A Data Retention plan may be less expensive than maintaining a fully active account.
👉 Important note: You must proactively plan to transition your account to a Data Retention plan to avoid deletion.
Put a solid plan in place today
Before officially closing shop and retiring, remember that legal requests or audits may arise years later, requiring access to client communications and related information.
While migrating your records to another platform is an option, it can be technically complex, expensive, and potentially non-compliant. Thankfully, Hushmail offers a simpler, more secure, and potentially more cost-effective solution: a Data Retention plan.
💡 Think of it like a safety deposit box for your records. It remains secure, HIPAA-compliant, and readily accessible when needed, all at a potentially lower cost than an active account.
Don't wait until it's too late. Submit the following form to discuss a Data Retention plan with our Sales team. They will contact you with more information:
