DATA RETENTION & DELETION POLICY
POLICY:
- IMS shall ensure that the organization has a legal basis for data processing.
- IMS shall ensure that the organization limits the amount of personal data collected per its data protection impact assessment.
- IMS shall meet legislative, statutory, and regulatory requirements.
- IMS shall ensure the policy is reviewed annually and updated per legislative, regulatory, and organizational policy changes.
- IMS shall ensure that the business realizes the best value in achieving the quality and flow of information and securely processing records and data storage.
- IMS shall support core business functions and provide evidence of conduct and the appropriate maintenance of associated tools, resources, and outputs to clients and regulators.
- IMS shall delete or de-identify data per the legislative and regulatory requirements.
SCOPE:
This policy and procedures apply to the following:
- All IMS office facilities, employees, and third-party contract workers accessing IMS’s information systems, services, and personal data.
- All information system components include network and computer hardware, software and applications, mobile devices, and telecommunication systems that process, store, or transmit personal data.
RETENTION PERIODS:
Records are retained according to the way they were collected and for the intended use. Any records retained during their specified periods are traceable and retrievable. Access to data is tracked and logged. All company and employee information is retained, stored, and destroyed per legislative and regulatory guidelines.
For all data and records obtained, used, and stored within IMS, we:
- Establish and conduct periodic reviews of the data retained, checking purpose, continued validity, accuracy, and requirement to retain.
- Establish and verify retention periods for the data, with special consideration given to the following areas:
- The requirements of the IMS.
- The type of personal data.
- The purpose of processing.
- Lawful basis for processing.
- The categories of Individuals.
- Where it is not required to define a statutory or legal retention period, per legal or regulatory requirements, IMS will identify the criteria by which the period can be determined and provide this to individuals on request and as part of standard information disclosures and privacy notices.
- Have processes to ensure that records pending audit, litigation, or investigation are not destroyed or altered.
- Transfer paper-based records and data to an alternative media format in instances of long retention periods.
STORAGE AND ACCESS OF RECORDS AND DATA:
- Documents are always retained in a secure location, with only authorized personnel given access.
- Not all data or records are expected to be deleted upon expiration; sometimes, it is sufficient to anonymize the data per HIPAA requirements or to archive records for a further period.
- At the end of a retention period, documents are reviewed, archived, or confidentially destroyed or de-identified, depending on their purpose.
DELETION/DE-IDENTIFICATION:
- IMS will have PHI destroyed utilizing an acceptable method of destruction after the appropriate retention period has been met.
- When feasible, IMS, will communicate the need for deletion with anyone else with whom the data has been shared to ensure necessary steps are taken to erase it elsewhere.
- When deleting/destroying paper records, information must be disposed of by shredding, burning, pulping, or pulverizing the records so that PHI is rendered unreadable, indecipherable, and otherwise cannot be reconstructed.
- Deleting/destroying PHI on electronic media must be achieved by clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
RETENTION SCHEDULE:
| Record | Retention Period |
| HR/Personnel Records | |
| Applications and Resumes | Termination + 3 years |
| Background Checks | Termination + 3 years |
| Payroll and Compensation | 4 years |
| Health and Benefit Records | Termination + 3 years |
| Performance Records | Termination + 3 years |
| Tax Records | 4 years |
| Corporate Records | |
| Contracts | 7 years post-contract expiration date |
| BAAs | 6 years |
| Privacy Notices | 6 years |
| Policies | 6 years |
| Disaster Recovery and Contingency Plans | 6 years |
| Risk Assessments and Risk Analyses | 6 years |
| Business Licenses | 7 years |
| Physical Security Maintenance Records | 6 years |
| Incident and Breach Notification Documentation | 6 years |
| IT Security System Reviews | 6 years |
| Financial Records | |
| Accounts Payable/Receivable | 7 years |
| Plans and Budgets | 7 years |
| Annual Tax Filings | 7 years |
| End User Records | |
| General Information | 90 days |
| Client Records containing PHI | 90 days unless otherwise specified on the MSA |
| Records of Disclosures of PHI | 6 years |
| Logs Recording Access to and Updating of PHI | 6 years |
| Complaint and Resolution Documentation | 6 years |
| REVISION CONTROL | |||
| Revision Date | Revision Level | Revised By | Approved By |
| 04/19/2024 | A | Deanna Hoff Compliance Administrator | Tara DeBois VP of Compliance |
| 03/18/2025 | B | Deanna Hoff Compliance Administrator | Tara DeBois VP of Compliance |