HIPAA 6-year + state overlay (up to 30 years for paediatric / OB-GYN / radiology). SOX 7-year, IRS 7-year, CMS RAC 3–5 year, Cures Act information-blocking compliance. Per-artefact retention computation, defensible disposition, controlled-access workflow over long-term archive. Tenant-decommission ready.
Healthcare retention is multi-jurisdictional, multi-data-class and multi-trigger. Athenahealth-specific retention has to layer on top of that: information-blocking compliance, Marketplace partner data flows, document attachments, audit logs at PHI-access granularity, BAA scope governance through retention end date.
Most retention discussions for ERP migrations are straightforward — SOX 7 years for financial records, IRS 7 years for tax-supporting evidence, done. Healthcare retention isn't like that. HIPAA sets a 6-year minimum, but every state layers its own medical-record retention on top, and the longest applicable wins. California requires 7 years for adults plus 1 year past age of majority for minors — meaning a paediatric record created today retains until 2049 at the earliest. New York requires 6 years plus age-of-majority handling. Texas requires 7 years. Florida requires 5 years for adults but until age 23 for minors. Many states require 25–30 years for radiology, paediatric and OB/GYN records. The retention obligation per artefact depends on patient demographics at the date of service, which means retention can't be computed at policy level — it has to be computed per artefact.
On top of the jurisdictional puzzle, athenahealth retention has to respect information-blocking compliance under the 21st Century Cures Act. The Cures Act prohibits 'interfering with, preventing or materially discouraging' patient access to electronic health information via the FHIR API. If a customer decommissions the athenahealth tenant and moves to long-term archive, the archive has to expose a FHIR R4-equivalent patient-access API for the duration of the retention window. Customers who archive data into a write-only cold store that has no patient-access API technically violate information-blocking — even though the underlying data is preserved.
Syntra ETL's retention solution handles both dimensions natively. The retention engine carries per-data-class per-jurisdiction rules, computes the effective retention end date per artefact at extraction time, tags the artefact in long-term archive with both the effective end date and the supporting rule citation, and exposes a HIPAA-aligned controlled-access layer (including FHIR R4-equivalent patient endpoints) over the archive for the duration of retention. Defensible-disposition workflow at retention end requires legal sign-off before any deletion.
The per-artefact, per-jurisdiction, per-trigger retention logic that consultant projects rebuild from scratch every time.
Effective retention end date computed per artefact at extraction. Patient state, specialty, data class, date triggers all factored. Longest applicable wins.
Pre-built rule library covers HIPAA federal baseline plus state overlays for all 50 states. Quarterly updates as state laws change.
Special-case overlays for paediatric (age of majority + state delta), OB/GYN (mother + child retention), radiology (image-specific 25-year retention).
FHIR R4-equivalent patient-access API over long-term archive for Cures Act compliance through retention window.
Retention end triggers defensible-disposition workflow requiring legal sign-off before any deletion. Audit-grade deletion log preserved.
HIPAA right-of-access, GDPR data portability, legal discovery, RAC audit response all routed through controlled-access layer with audit logging.
Structured 8–12 week sequence from retention obligation analysis to controlled-access steady state.
Per-data-class retention obligations enumerated for every jurisdiction the organisation operates in. Patient state distribution analysed. Specialty mix analysed. Tax and SOX obligations layered.
Full retention-scoped extraction plan: clinical record set via FHIR R4 + Bulk FHIR, billing record set via athenaNet API, EDI files via secure file exchange, audit logs via API admin endpoints.
Full retention-scoped data extracted to HIPAA-aligned long-term archive. Per-artefact retention end date computed and tagged. Audit logs extracted alongside. Hash-signed manifests preserved.
FHIR R4-equivalent patient-access API stood up over archive. HIPAA right-of-access workflow configured. GDPR portability workflow configured. Legal discovery workflow configured. Access logging immutable.
Sample patient lookups validated end-to-end. Sample SOX queries validated. Sample CMS RAC drill-back validated. Internal Audit signs off on retention scope and access controls.
Athenahealth tenant subscription terminated. BAA transitions to archive operator. Controlled-access layer enters steady state for retention duration (7–30+ years depending on data class).
Strategy choice depends on operational access needs, cost tolerance and clinical-workflow direction.
Athenahealth subscription continues at full cost through retention window. Operationally simplest. Most expensive. Right for active organisations not yet ready to decommission.
One-time extraction cost + ongoing $0.001–$0.004 per GB-month archive cost + controlled-access subscription. 80–95% cost reduction vs Strategy 1. Right for decommissioned tenants.
Keep recent data (typically 2 years) in athenahealth for operational access, extract older data to long-term archive. Balances operational access against retention cost.
Strategy 2 breaks even vs Strategy 1 in months 18–30 of retention. For 7+ year retention windows, Strategy 2 is dramatically cheaper.
Clinical access to retention-period data through Strategy 2 requires FHIR R4-equivalent API. Validate clinician workflow before decommission.
Subpoenas, audit requests and patient access requests need to be serviceable from whichever strategy is active. Test access workflow before decommission.
Athenahealth data retention is a multi-jurisdictional puzzle. HIPAA requires a 6-year minimum retention of designated record sets and audit logs from date of creation or last effective date. The 21st Century Cures Act and ONC Cures Act Final Rule mandate sustained FHIR API access to USCDI v3 data classes. State laws layer on top: California requires 7-year adult medical record retention plus 1 year past majority for minors; New York requires 6 years plus age-of-majority handling; Texas requires 7 years; Florida 5 years for adults but until age 23 for minors; many states require 25–30 year retention for radiology, paediatric and OB/GYN records. SOX 404 requires 7-year retention of financial records. CMS RAC audits require claim-level evidence going back 3 years (extending to 5 in fraud-investigation contexts). Tax law (IRS) requires 7 years of supporting evidence. The longest applicable retention wins — typically 25–30 years for paediatric records, 7+ years for everything else.
Three structural differences. First, athenahealth is a cloud-native multi-tenant SaaS — customers don't operate the database, so 'retention' isn't about disk-volume snapshots; it's about ensuring data remains accessible via the athenaNet API and FHIR R4 endpoints for the retention window, or that an authoritative copy has been extracted to long-term archive. Second, retention applies to a richer mix of artefacts — clinical record set, billing record set, 837/835 EDI files, audit logs, document attachments, image files (X-rays, scans) — each with potentially different retention triggers (date of service, date of last access, age-of-majority for minors). Third, retention has to coexist with information-blocking compliance — customers can't retain data in a way that obstructs patient FHIR API access mandated by the Cures Act.
Tenant decommissioning (typical scenarios: athenahealth replacement onto another clinical platform, organisation closure, divestiture) triggers a structured retention plan. Step one: identify all retention obligations by data class and by jurisdiction (state, federal, payer-contract, SOX, IRS). Step two: extract the full retention-scoped data to a HIPAA-aligned long-term archive (S3 Glacier, Azure Archive, OCI Archive Storage, GCS Archive) under the customer's data-residency policy. Step three: build a queryable index over the archive supporting clinical lookup (by patient MRN, by date range), financial lookup (by claim, by remit, by GL period), audit lookup (by access timestamp, by operator). Step four: implement controlled-access workflow for retention-period queries (clinicians needing historical record, finance responding to RAC audit, legal responding to subpoena). Step five: BAA continues with the archive operator until retention expires.
The retention engine carries per-data-class, per-jurisdiction retention rules and computes the effective retention end date for each artefact at extraction time. For a patient born in California (paediatric record requires retention until age 25), an encounter dated 2024 retains until 2050 at earliest. For a payment record falling under SOX, retention is 2031 (7 years). For a 1095-B form falling under IRS, retention is also 7 years. The engine takes the maximum applicable retention as the effective end date and tags the artefact in the long-term archive with both the effective retention end and the supporting rule citation. When the retention end date arrives, the artefact moves to a defensible-disposition queue requiring legal sign-off before deletion.
Yes. HIPAA Security Rule § 164.312(b) requires audit controls over PHI access, with a 6-year retention of the audit log itself. The retention engine captures every API call to athenaNet, every FHIR R4 access, every Bulk FHIR $export and every Marketplace partner data flow with operator identity, OAuth scope, timestamp and resource list. Audit logs are immutably stored alongside the data they describe, with retention set to HIPAA 6-year minimum plus the longest applicable overlay (typically 7+ years to align with SOX). When auditors request 'who accessed this patient's record between 2024 and 2026', the answer is a query against the immutable audit log — not a manual reconstruction.
The Cures Act information-blocking rule prohibits practices that 'interfere with, prevent or materially discourage' patient access to their electronic health information via the FHIR API. This means the athenahealth tenant's FHIR R4 API surface must remain accessible to patients (via SMART-on-FHIR apps), to other providers (via TEFCA participation) and to payers (where contracted) for as long as the underlying patient relationship is active. Data retention obligations don't override information-blocking obligations. If the customer decommissions the athenahealth tenant but retains historical data in long-term archive, the archive must expose a FHIR R4-equivalent API to support patient access requests for retention-period data — typically via a HIPAA-aligned archive operator that provides patient-facing FHIR endpoints over the archived data.
Cost depends on retention strategy. Strategy 1 (keep the tenant): athenahealth tenant subscription continues at full subscription cost for the retention period. Most expensive option, but operationally simplest. Strategy 2 (extract to long-term archive): one-time extraction cost (Syntra ETL extraction subscription for 1–3 months) plus ongoing long-term archive cost (typically $0.001–$0.004 per GB-month on S3 Glacier / Azure Archive / OCI Archive Storage) plus controlled-access subscription. Typically 80–95% cost reduction vs Strategy 1 over a 7+ year retention window. Strategy 3 (hybrid): keep recent data (typically 2 years) in athenahealth for operational access, extract older data to long-term archive. Common pattern for active organisations balancing operational access against retention cost.
Yes. Patient-driven data requests (HIPAA right of access, ONC Cures Act FHIR-based patient access, state patient-portal mandates, GDPR right of access for EU-resident patients) need to be serviced during retention even when the source athenahealth tenant has been decommissioned. The retention solution exposes a HIPAA-aligned access layer over the long-term archive supporting: HIPAA right-of-access requests (30-day response SLA), FHIR R4-equivalent patient API for SMART-on-FHIR apps, GDPR data-portability requests in machine-readable format, and legal-discovery requests under HIPAA preemption-permitted state law. The access layer carries the same OAuth2 governance, audit logging and BAA scope as the original athenahealth tenant — retention obligations don't relax security obligations.
Book a 30-minute scoping call. We'll walk through your patient-state distribution, specialty mix, decommission timing and access requirements — and you'll have a draft retention strategy with cost comparison by end of week.