Data Retention and Disposal Policy
Purpose: Define retention periods and secure disposal procedures for Protected Health Information (PHI) and other data in Bounded Health.
Scope
This policy applies to all data collected, processed, and stored by Bounded Health, including:
- Protected Health Information (PHI)
- User account data
- Audit logs
- System logs
- Backups
- Archived data
Regulatory Requirements
HIPAA: Requires retention of PHI as necessary to comply with other laws and for legitimate business purposes.
State Laws: Many states require medical records retention for 6-10 years after:
- Last patient encounter
- Patient reaches age of majority
- Patient's death
IRS: Financial records must be retained for 7 years.
Retention Schedules
Protected Health Information (PHI)
Active Patient Records:
| Data Type | Retention Period | Location | Rationale |
|---|---|---|---|
| PatientProfile | 7 years after last activity | Database | HIPAA + state law |
| MealLog | 7 years after creation | Database + GCS | Clinical records |
| TaperingLog | 7 years after creation | Database | Medication records |
| LabReport | 10 years after creation | Database + GCS | Regulatory standard |
| MedicalImage | 10 years after creation | GCS | Imaging retention standard |
| Prescriptions | 7 years after fill date | Database | DEA requirements |
Inactive Patients:
- Account inactive for 3+ years: Flag for review
- Account inactive for 7+ years: Eligible for archival or deletion
- Patient deceased: Retain 7 years from date of death
User Account Data
User Records:
| Data Type | Retention Period | Notes |
|---|---|---|
| User (non-patient) | 7 years after account closure | Employment records |
| Employer profiles | 7 years after contract end | Business records |
| Authentication logs | 90 days | Security monitoring |
| Session data | 30 days after expiration | Technical requirement |
Audit and Security Logs
Audit Logs:
| Log Type | Retention Period | Location | Purpose |
|---|---|---|---|
| AuditLog (PHI access) | 7 years | Database | HIPAA compliance |
| Authentication logs | 1 year | Clerk + Database | Security investigation |
| API access logs | 90 days | Application logs | Performance monitoring |
| Error logs (Sentry) | 90 days | Sentry platform | Debugging |
| Security incident logs | 7 years | Secure storage | Legal/compliance |
Financial Records
Billing and Payment Data:
| Data Type | Retention Period | Rationale |
|---|---|---|
| Invoices | 7 years | IRS requirement |
| Payment transactions | 7 years | Financial auditing |
| Subscription history | 7 years | Business records |
| Refund records | 7 years | Tax compliance |
Backups
Database Backups:
- Daily backups retained for 30 days
- Weekly backups retained for 12 weeks
- Monthly backups retained for 7 years
- Annual backups retained for 10 years
File Storage Backups:
- Versioning enabled on Google Cloud Storage
- Previous versions retained for 30 days
- Deleted files retained for 30 days (soft delete)
- After retention period: Permanent deletion
Analytics and Aggregated Data
De-identified Aggregate Data:
- Retained indefinitely for research and product improvement
- Must be properly de-identified per HIPAA Safe Harbor or Expert Determination
- Current implementation: No de-identification process (treat as PHI)
Usage Metrics:
- Application performance metrics: 1 year
- User behavior analytics: 1 year (if contains identifiers)
- System monitoring: 90 days
Data Disposal Procedures
Secure Deletion Standards
Database Records:
Soft Delete (Preferred):
Hard Delete (After Retention Period):
Cascade Deletion:
- Database foreign keys configured with
onDelete: Cascade - Deleting parent record deletes related records
- Example: Deleting User deletes PatientProfile, MealLog, etc.
File Storage Deletion
Google Cloud Storage:
Verification:
- Confirm file no longer accessible
- Check versioning/soft-delete bucket
- Verify no backup copies remain
Third-Party Systems
Clerk (Authentication):
- User deletion via Clerk API
- Includes all authentication data
- Cannot be recovered after deletion
Sentry (Error Tracking):
- Events auto-deleted after 90 days
- Manual deletion available for sensitive events
- Project deletion removes all data
Email/SMS Providers:
- Retain logs per vendor policy
- Request deletion when user account deleted
- Document vendor data handling
User-Initiated Deletion Requests
Right to Deletion (GDPR/CCPA)
Patient Requests:
Users may request deletion of their data subject to:
- No outstanding legal obligations
- No active medical treatment
- Retention period not yet expired
Process:
- Verify user identity
- Check for legal holds
- Export data if requested (portability)
- Schedule deletion
- Confirm completion to user
Timeline:
- Immediate soft delete (data inaccessible to user)
- Hard delete after retention period expires
- Notify user of completion
Data Export (Portability)
User Data Package Includes:
- Profile information
- Health records (MealLog, TaperingLog, LabReport)
- Medical images
- Audit log of their data access
- File format: JSON + attachments (ZIP)
Archival Procedures
Long-Term Storage
When to Archive:
- Patient inactive for 3+ years
- Data access frequency < 1/year
- Retention period still active
Archive Process:
- Export to cold storage (GCS Nearline/Coldline)
- Compress and encrypt
- Maintain searchable index
- Document archive location
- Test restore capability annually
Retrieval:
- 24-48 hour SLA for archived data
- Restore to temporary location
- Re-archive after use
Legal Holds
Definition: Preservation of data beyond normal retention due to litigation or investigation.
Process:
- Legal counsel issues hold notice
- Identify affected data and systems
- Suspend normal disposal procedures
- Document hold in compliance system
- Release hold only upon counsel authorization
- Add
legalHoldboolean to relevant models - Prevent deletion when
legalHold: true - Track hold reason and issuer
- Regular review of active holds
Monitoring and Compliance
Automated Retention Enforcement
Scheduled Jobs:
- Schedule via cron or serverless function
- Log all retention actions in AuditLog
Compliance Reporting
Monthly Report:
- Records deleted
- Records archived
- Active legal holds
- Exceptions and variances
Annual Audit:
- Review retention schedules
- Verify disposal procedures
- Test archive retrieval
- Update policy as needed
Exceptions and Variances
Reasons for Extended Retention:
- Ongoing litigation
- Regulatory investigation
- Business necessity (documented)
- Patient request (continued care)
Approval Process:
- Document reason for variance
- Privacy Officer approval required
- Set review date
- Monitor for resolution
- Resume normal retention when resolved
Documentation:
- Exception request form
- Approval record
- Regular review schedule
- Resolution date
Responsibilities
Privacy Officer:
- Oversee retention policy compliance
- Approve retention exceptions
- Conduct annual policy review
Data Steward (Engineering):
- Implement retention automation
- Execute disposal procedures
- Maintain archival systems
- Document technical processes
Legal Counsel:
- Advise on legal requirements
- Issue legal holds
- Approve policy changes
IT Operations:
- Manage backups
- Execute archival processes
- Maintain secure disposal
- Monitor automation
Training
All Staff Must Understand:
- Retention periods for data they handle
- Secure disposal procedures
- Legal hold obligations
- User deletion request process
Annual Topics:
- Policy updates
- Disposal procedure review
- Legal/regulatory changes
- Incident case studies