You’ve meticulously organized your practice's closure and you're ready to embark on a new chapter!
But your inbox gets a surprise notification as you’re about to leave for your dream vacation, ready to unwind after years or decades of work in your practice.
A client from years ago needs medical records for a legal case, but your practice is no longer operational.
How do you deal with this?
You've come to the right place!
Managing client information and ensuring compliance is crucial in healthcare, even beyond active practice.
This blog post dives into the importance of managing your Hushmail for Healthcare account when you're anticipating retirement.
We'll delve into options so you can continue having access to your records while safeguarding client privacy, and complying with regulations, even when you're no longer actively practicing.
Hushmail for Healthcare has a built-in email archive that automatically records all emails sent and received. This supports your practice’s HIPAA compliance and is essential in case of audits or other legal matters.
But here's the caveat:
|
What if more than a year has passed, and you get an email from a former client asking for snippets of your email communication from a few years ago for a legal case? Are you legally required to store and share client communication with a client or entity if there's a lawful request?
To answer these questions, let's look at two important terms: medical records and HIPAA-related documents.
HIPAA’s Privacy Rule doesn't dictate retention periods for medical records themselves. However, other laws and regulations might require keeping them for specific durations. Each state has its own laws setting these timeframes, which can vary depending on the provider type and client age.
Here are some examples of state laws for different provider types and client ages:
These are just a few examples, and laws can vary significantly. The American Academy of Pediatrics recommendation when it comes to medical record retention is an excellent reminder, even for practices outside of pediatrics:
|
HIPAA has retention requirements for documents related to compliance and privacy, such as policies, security assessments, and complaints. These documents need to be kept for six years. You can find this requirement in HIPAA’s Security Rule (which is different from HIPAA’s Privacy Rule):
|
Steve Youngman, Hushmail's VP of Finance and Legal, recommends keeping these documents for seven years instead of six:
|
It's important to remember that the six-year duration is the minimum retention period for mandatory documentation under the Security Rule. Depending on state laws, accreditation organization requirements, or other business justifications, you may be required to keep them longer.
Examples of HIPAA-related Documents to be retained for at least 6 years
HIPAA-related document |
What it’s for |
1. Notices of privacy practices | Inform clients about their privacy rights. |
2. Patient authorizations | Grant permission to share a client’s protected health information (PHI). |
3. Risk assessments and analyses | Identify security risks and potential vulnerabilities in your practice. |
4. Disaster recovery and contingency plans | Outline how your practice will respond to emergencies and maintain HIPAA compliance. |
5. Business associate agreements | Contracts with third-party vendors who have access to PHI to outline their responsibilities in protecting PHI. |
6. Information security and privacy policies | Describe how your practice handles PHI. |
7. Employee sanction policies | Outline consequences for employees violating HIPAA rules. |
8. Incident and breach notification documentation | Records of security incidents or data breaches involving PHI. |
9. Complaint and resolution documentation | Records of client complaints and your responses to these complaints. |
10. Physical security maintenance records | Documents showing how physical security measures are maintained. |
11. Access logs | Records of who accessed PHI and when they were accessed. |
12. IT security system reviews | Ensure IT systems meet HIPAA security standards. |
The list above may change over time, so always check with your legal counsel to ensure you understand the specific retention requirements for all types of client communication and records you maintain in your practice.
Recommended reading: HIPAA Privacy Rule vs. HIPAA Security Rule
As we mentioned earlier in this article, you may need to retain client communication and HIPAA-related files for at least six years (HIPAA Security Rule) or potentially longer (based on state laws).
You have two options to explore to help you adhere to records retention requirements by HIPAA, state laws, health plans, health and safety codes, and other government bodies.
You can move your emails to another provider, but this can be difficult due to the following:
|
Maintaining a dormant Hushmail account is a simpler and potentially cost-effective option.
No one is actively using it when it's in a dormant state, but it remains accessible in case of an audit or when a client, another company, or a court has the legal right to request access to those records.
Here are some of its benefits:
👉 Important note: You must proactively plan to downgrade your Hushmail account to a dormant state to avoid deletion. |
Before officially closing shop and embracing retirement, remember that legal requests or audits can arise years later, requiring access to client communication and related information.
While migrating your records to another platform is an option, it can be technically complex, expensive, and potentially non-compliant. Thankfully, Hushmail offers a simpler, more secure, and potentially more cost-effective solution: a dormant Hushmail account.
💡 Think of it like a safety deposit box for your records. It remains secure, HIPAA-compliant, and readily accessible when needed, all at a potentially lower cost than an active account. |
Don't wait until it's too late. Submit the following form to discuss a dormant Hushmail account with our Sales team. They will contact you with more information: