HIPAA shows a movement in federal regulation of record retention policy towards encryption
HIPAA(Health Insurance Portability and Accountability Act) is another important federal law with a major record retention policy component. HIPAA applies to health plans, healthcare providers and healthcare clearing houses when we’re talking about the data security rules.
HIPAA’s sliding standards for record retention policy
There’s sort of a common misconception that any company that has all personal health information is automatically covered by HIPAA. That’s actually not the case. The standards are based on the industry where the company operates. Health care companies are held to the highest possible standard of HIPAA with decreasing scrutiny for other industries.
However, HIPAA does require covered entities to enter into business associate agreements with vendors or third parties handling their data. The idea here being that a covered entity shouldn’t be able to avoid its data security obligation in their record retention policy just by outsourcing the data to someone else.
So for those of you who are working for companies that handle data for covered HIPAA entities, you’re no doubt would be familiar already with the business associate agreement concept.
Now encryption is strongly encouraged under HIPAA but it’s not mandated. And we’ll see that many of the US privacy laws reward encryption and encourage encryption, and in fact, are moving towards potentially even requiring encryption as part of both federal regulation and business best practices in record retention policy in some cases.
Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.
Subscribe to HR Info Center
Get the latest research on workplace learning with weekly posts delivered to your inbox