Medical Record Retention by State
Older data from the Smart Suite tables is exported to files stored on the operating system (dump files, .dmp extension) and can be accessed at a later date for recovery (to run reports) via the Admin Menu utility (see Data Retention Knowledge Article). Most customer sites have these exported files from decades ago, and there's always a question of how far back the end user might need the data or for how long the files should be stored. Of course, primarily, the customer site is responsible for maintaining off-server copies of the backups (which include these files), but of special concern for potential future litigation should be the exported data files.
Although HIPAA itself doesn't specify time limits for storing information, it requires that the states (and others following the act) set up these time limits of their own.
The state laws typically state that "medical records" must be kept for a specified amount of time. Then the person searching for the specifics would have to go digging to find each state's definition of "medical records" pertaining to a patient's visit. So it's probably just safer to assume that messages and pages (and by extension oncall records) concerning the patient are included in this definition.
The question, then, is how long these should be kept -- for example, does someone need data files from 1999, 2006, or 2015 in 2021? It depends on the state in which the legal body of the site resides. It ranges from 5 to 11 years.
Below are the results of quick searches (in Feb 2021) for how long medical records must be kept for each state. Links to the state statutes are not provided, nor are links to the statutes defining "medical records" in each state, although this author did have to go and do follow-up research on many of them to verify the information. The statutes and definitions can be found by the reader through a bit of online searching and reading. This list is provided as a quick reference.
The below information is not intended as legal advice and is provided solely as general information to assist the customer in deciding how far back they might really need the exported data files stored on the servers. It should not be relied upon as specific legal advice for your situation. If there is a question about the retention of this data in the Smart Suite system, you should contact your legal department to verify what your particular organization's rules are concerning this, and whether or not that violates your state's law and what the ramifications of that might be.
Spok and its employees, members, contractors, et al. will not be held liable for violations of these rules by your organization. If you request that Spok personnel remove the exported files that may be within the timeframe listed below -- for wherever the legal body of your enterprise is located (for cross-state customer sites) -- you will be required to sign a waiver re-verifying Spok's indemnity and nonculpability in the matter. It is not Spok's responsibility to maintain copies of your nightly backups.
|Location||Number of Years|
|CO||7 - 10, depending|
|NC||6 - 11, depending|
|WI||5 - 6, depending|