Purpose-built compliance archive for Epic-sourced healthcare data. Per-state retention rules (5–30+ years), HIPAA + HITECH + 42 CFR Part 2 + IRS + Medicare + FCA, legal hold tracking, auto-expiry with proof-of-destruction. One-click HIPAA audit evidence retrieval.
Healthcare retention is the most complex regulatory environment in any industry. The epic systems compliance archive applies the right rule to the right record per legal entity per state, with signed evidence at every step.
A general data archive holds data for a configurable retention window. A compliance archive does much more: it knows that adult medical records in Pennsylvania need 10 years post last encounter while in Texas they need 7; that pediatric records need until age of majority + 5 years in California but + 10 in some other states; that 42 CFR Part 2 substance-use records need stricter access control than general HIPAA; that Medicare cost reports need 10 years while Medicare claims need 5; that Joint Commission medical staff records are often retained permanently. It applies the right rule to the right record class for the right legal entity, with multi-rule overlap handling (longest wins), legal hold tracking that overrides retention, and auto-expiry with proof-of-destruction.
The epic systems compliance archive brings all of that pre-built. Per-state retention rules for all 50 states + DC + territories, maintained as states amend rules. Multi-rule conflict resolution. Pediatric retention computed from patient date-of-birth with cross-state strictest-wins logic. 42 CFR Part 2 access control applied at the record-class level. Legal hold preservation that survives auto-expiry. HIPAA §164.528 accounting-of-disclosures logging. HIPAA §164.312(b) audit control logging. Encryption at rest (AES-256) and in transit (TLS 1.3) with customer-managed KMS keys.
The result: when OCR shows up for a HIPAA enforcement audit, the privacy officer pulls the evidence pack with one click. When a state surveyor asks for 7 years of pharmacy controlled-substance dispensing, the report runs in minutes. When litigation requires legal hold on a fraud-and-abuse investigation, the records are protected from auto-expiry until the hold releases. When a pediatric patient now 24 years old requests their newborn records, the archive can produce them because pediatric retention was computed correctly 24 years ago.
Each capability addresses a real healthcare retention obligation that general archives don't handle out of the box.
All 50 states + DC + territories pre-built. Per-legal-entity, per-record-class. Multi-rule overlap handled with longest-wins logic. Maintained as states amend.
Records tagged with patient DOB. Expiry computed as max(DOB + age-of-majority + state-window, encounter-date + adult-rule). Cross-state strictest-wins for transient patients.
Substance-use records tagged at ingest. Stricter access control than HIPAA — patient authorization required for most disclosures. SAMHSA-compliant by design.
Litigation hold suspends auto-expiry, elevates access logging, integrates with privilege review tooling. Hold release documented with timestamp + authorized actor.
When retention rule passes, records auto-expire with proof-of-destruction signed by privacy officer. Disciplined disposal — no 'we forgot to delete' surprises.
§164.530(j)(2), §164.528, §164.312(b), §164.312(a), §164.312(e), §164.504(e), §164.502 + §164.524 — all covered. One-click retrieval for OCR walkthroughs.
A repeatable workflow from compliance scope through retention rule wiring, access control and evidence pack delivery.
Inventory all source systems in archive scope. Map every record class to applicable federal + state + industry retention rules. Identify multi-rule overlaps. Privacy officer + general counsel + compliance sign off on scope.
Per-state retention rules wired per legal entity. Multi-state organisations get strictest-wins logic. Pediatric DOB-aware retention configured. 42 CFR Part 2 tagging rules set.
Clarity-certified extractors push to archive with retention metadata embedded at ingest: state rule, record class, DOB (for pediatric), 42 CFR Part 2 flag, legal entity, expiry date computed.
Role-based access wired with HIPAA §164.312(a) controls. §164.528 accounting-of-disclosures logging activated. 42 CFR Part 2 stricter workflow surfaced. Break-glass workflow with privacy officer review.
Legal hold first-class workflow tested with general counsel + outside counsel. Privilege review tooling integration (Relativity, Everlaw). Hold release documentation pattern locked.
HIPAA evidence pack one-click retrieval tested. Auto-expiry workflow tested with proof-of-destruction signed by privacy officer. Annual retention rule review scheduled. Compliance archive production ready.
When OCR, state surveyors, CMS, OIG or external auditors arrive, this is what gets retrieved.
All policies and procedures retained 6+ years. Version history, approval signatures, training records. Pulled with policy-by-policy retention timestamp.
Every PHI access logged for 6+ years: actor, timestamp, record, justification, source. Filterable by patient, by date range, by access type.
Read access on every PHI record logged immutably. Periodic privacy officer review documented. Anomaly detection alerts retained with disposition.
Role-based access matrix documented. Periodic access review evidence. Joiner/mover/leaver workflow tied to identity provider with timing.
All ex-patient access requests logged with 30-day response timing. Format requested + delivered. Denials documented with §164.524(a)(2)–(3) basis.
Business associate agreements with cloud provider + service providers. Termination of access on contract end documented. Renewal cadence tracked.
An Epic Systems compliance archive is a retention-rule-driven archive specifically engineered to satisfy the multi-year, multi-rule retention obligations that apply to Epic-sourced healthcare data. Healthcare retention rules are some of the most complex in any industry: HIPAA Privacy Rule (6 years for accounting-of-disclosures and policies), HITECH (extends HIPAA enforcement), state adult medical record retention (5–10 years post last encounter), state pediatric retention (age-of-majority + 5–10 years, often 25–30 years total), IRS billing records (7 years), Medicare/Medicaid records (5–10 years), 42 CFR Part 2 substance-use records (typically 6+ years), Joint Commission medical staff records (often permanent), FCA exposure (6 years). The Epic Systems compliance archive applies the right rule to the right record class with signed evidence packs.
A general archive stores data with a single retention rule (or no rule). A compliance archive applies the right retention rule to the right record class per legal entity per state, with auditable proof. Concrete differences: per-state retention rules pre-built for all 50 states + DC + territories; multi-rule overlap handling (where multiple rules apply, the longest wins); legal hold tracking that overrides retention until release; auto-expiry with proof-of-destruction signed by the privacy officer; periodic retention rule update tracking as states amend rules; chain-of-custody manifests covering every read and every retention decision. The Epic Systems compliance archive is purpose-built for healthcare's regulatory complexity.
All US federal and state healthcare retention rules, plus IRS and Medicare. Federal: HIPAA Privacy Rule §164.530(j)(2) — 6 years for policies and accounting-of-disclosures; HITECH; 42 CFR Part 2 substance-use disorder treatment records (6+ years); IRS records (7 years for billing); Medicare Conditions of Participation (5 years for clinical, 10 years for cost reports); Medicare Advantage (10 years); Medicaid (varies by state); CLIA laboratory records (2–25 years depending on test class); DEA controlled-substance records (2 years federally). State: adult medical record retention (5–10 years in most states), pediatric (age-of-majority + 5–10), state public records for public hospitals. False Claims Act exposure (6 years). All rules pre-built and maintained by the Epic Systems compliance archive team as states amend them.
Yes — this is one of the hardest retention classes in healthcare. Pediatric retention typically requires holding records until the patient reaches age of majority (18 in most states, 19 in some) plus a state-specific window after (5–10 years in most, longer in a few). Net retention is often 25–30 years from date of service for the youngest patients. The Epic Systems compliance archive tracks patient date-of-birth in the retention metadata and computes expiry as max(DOB + age-of-majority + state-window, encounter-date + adult-rule-window). Records are auto-promoted to longer retention if the patient is identified as a minor at any point. Multi-state patients (e.g., parent moves states) are handled with the strictest applicable rule winning.
42 CFR Part 2 (substance-use disorder treatment records) has stricter access controls than general HIPAA — disclosure requires patient authorization in most cases even where HIPAA would permit it. The Epic Systems compliance archive tags 42 CFR Part 2 records at ingest, applies the stricter access control (no provider-side access without specific authorization, no payer-side access for non-treatment purposes), logs all access with the §2.31 disclosure requirements, and surfaces a separate access workflow for 42 CFR Part 2 records that prompts the user for the appropriate basis. Retention follows the 42 CFR Part 2 rule (typically 6+ years post discharge, longer for some states) but access is the bigger differentiator. SAMHSA-compliant by design.
Yes, as a first-class concept. When litigation, regulatory investigation, or government inquiry is anticipated or active, affected records can be placed under legal hold. While on hold: auto-expiry is suspended even if the retention rule would otherwise trigger deletion; all access during the hold period is logged with elevated detail; selective disclosure workflows preserve privilege; privilege review tooling integrates (Relativity, Everlaw). When the hold is released, the retention engine resumes — records may immediately become eligible for expiry (if the rule already passed) or continue normal retention until their date. Legal hold release is documented with timestamp + authorized actor for audit defensibility. Spoliation risk eliminated by design.
Comprehensive HIPAA evidence pack covering every requirement OCR examines during a HIPAA enforcement audit. Coverage: §164.530(j)(2) policy retention (6 years); §164.528 accounting-of-disclosures (all access logged for 6 years); §164.312(b) audit control (read access logging on all PHI); §164.312(a) access control (role-based access with documentation); §164.312(e) transmission security (TLS 1.3 + encrypted delivery); §164.504(e) BAA evidence; §164.502 right to access ($164.524 request workflow with response timing); breach notification readiness (immutable logs + chain of custody). One-click evidence retrieval for OCR walkthrough. Privacy officer signs off on the evidence pack annually.
Forever if a retention rule requires it (Joint Commission medical staff records, some state requirements for radiology images, etc.). Standard healthcare retention windows: adult medical 5–10 years, pediatric 25–30 years, billing 7 years, cost reports 10 years, accounting-of-disclosures 6 years. The Epic Systems compliance archive tier engine optimises cost — records on cold tier (deep archive storage) at $0.001–0.01/GB/month cost very little even at multi-decade scale. A typical 8-hospital system's compliance archive for the full retention window runs $50–200K/year all-in. Records auto-expire when their retention rule says so, with proof-of-destruction signed by the privacy officer. Indefinite retention for the records that need it; disciplined disposal for those that don't.
Book a 30-minute discovery call. Walk through your legal entity footprint, multi-state operations, pediatric service lines, 42 CFR Part 2 programs and litigation profile. Concrete compliance archive scope and rollout plan — with HIPAA evidence pack delivery on day one of audit.