Data Retention Policy¶
HIPAA Rule: §164.530(j) (policy retention), §164.312 (data controls)
Purpose¶
Define how long PHI and system data are retained, and ensure secure disposal when retention periods expire.
Retention Schedule¶
| Data Type | Location | Retention Period | Basis |
|---|---|---|---|
| Patient PHI records | NHC Django API DB | 7 years minimum | State law / HIPAA |
| API audit logs (CloudTrail) | S3 | 7 years | HIPAA audit requirement |
| VPC Flow Logs | CloudWatch Logs | 1 year | Operational |
| Application access logs | CloudWatch Logs | 1 year | Operational |
| Screenshots (VA sessions) | NVS S3 | 90 days | Operational minimum; review with legal |
| AWS Config history | S3 | 7 years | Compliance |
| Incident reports | Secure storage | 6 years | HIPAA |
| Breach determination docs | Secure storage | 6 years | HIPAA |
| HIPAA policy documents | This repo | 6 years | HIPAA |
| Backup snapshots (EC2/RDS) | AWS Backup vault | 30 days | Operational |
| S3 versioned objects | S3 | 90 days for noncurrent | Operational |
Secure Disposal¶
When retention periods expire:
| Medium | Disposal Method |
|---|---|
| S3 objects | S3 Lifecycle policy — permanent delete (not just versioning) |
| EBS snapshots | AWS Backup lifecycle — automatic expiration |
| RDS snapshots | AWS Backup lifecycle — automatic expiration |
| CloudWatch Logs | Log group retention policy set in Terraform |
S3 Lifecycle rules must be applied via Terraform and verified by AWS Config.
Warning
Deletion of PHI must be permanent. S3 object versioning must be paired with lifecycle rules to also delete all versions and delete markers after the retention period.
Screenshot Retention¶
Screenshots in the NVS S3 bucket are treated as PHI and subject to this policy. The 90-day default should be reviewed with legal counsel to ensure alignment with any state-specific requirements governing VA session records.
Policy Document Retention¶
This compliance documentation repository must be retained for 6 years from the date of each policy version, per §164.530(j).