When a patient withdraws consent, healthcare organizations must stop using and disclosing information for purposes covered by that consent. They are, however, still required to retain the patient records for the HIPAA-required retention period.
Understanding the data retention process
According to Section 164.530(j) of the Privacy Rule, “A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.”
Data retention is the process of maintaining protected health information (PHI) for the required retention period. Effective data retention revolves around a process, which might differ from organization to organization but maintains the following core components:
- Patient information is collected and stored within patient records including histories and treatment details.
- They establish policies for how long to keep these records.
- Records are maintained securely to protect patient privacy and data integrity.
- After the retention period ends, records can be destroyed securely.
How does the withdrawal consent impact data retention processes?
The immediate impact on data use and disclosure
When consent is withdrawn, healthcare organizations cease using or disclosing information for the specific purpose outlined in the consent. For example, if consent is provided to use PHI for marketing purposes, withdrawal means this information can no longer be used in marketing communications or campaigns.
Retention of existing records
Even if consent is withdrawn, the organization must retain the patient's health records for the specified duration. The communications and relevant documentation related to the withdrawal of consent for this information to be used are then also documented.
Handling of record post consent withdrawal
After consent withdrawal, the organizations ensure that the records are handled in a manner that complies with the Privacy and Security Rules including secure storage, and encryption during transmission. It also includes restricting access to the records to only those individuals who need it for purposes still allowed under HIPAA.
Destruction of records
Once the retention period has expired, the organization can securely destroy the records. The destruction must be conducted in a way that ensures the information cannot be reconstructed or retrieved.
Documentation and compliance
Organizations must document the consent withdrawal and how it affects data use and retention. They need to ensure that their data retention policies reflect any changes required by the withdrawal of consent.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is secure encryption by HIPAA standards?
The process of encoding so that only authorized individuals can access information.
What is the Privacy Rule?
It establishes the national standards for protecting individuals' medical records and PHI.
What is the Security Rule?
Standards for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards.
Kirsten Peremore
