Data Retention Requirements for Business Associates

There has been some debate around how long a BAs should retain documents containing PHI, as seen in this LinkedIn forum discussion. Some attest that BAs should retain these documents for as short a time as possible while others state regulatory issues that make it necessary to retain these documents for 6 or 10 years.

At Scrypt, we retain customer data for up to 10 years because of the Federal False Claims Act.

As a Business Associate, and because we have customers who submit claims to CMS using our services, we are subject to the Federal False Claims act, just as our Covered Entities are.

And according to the Federal False Claims Act, we could be subpoenaed for up to 10 years after the date on which a violation is committed.

§ 3731. False claims procedure
(a) A subpoena requiring the attendance of a witness at a trial or hearing
conducted under section 3730 of this title may be served at any place in the United States.
(b) A civil action under section 3730 may not be brought—
(1) more than 6 years after the date on which the violation of section
3729 is committed, or
(2) more than 3 years after the date when facts material to the right of
action are known or reasonably should have been known by the
official of the United States charged with responsibility to act in
the circumstances, but in no event more than 10 years after the date
on which the violation is committed, whichever occurs last.

Rest assured, our data retention policy is longer than others’ solely to comply with the regulations above. All data will be protected with the same level of rigor regardless of when it was created.