Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 2082 Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

This is a HIPAA FAQ about the duration of time a CSP is required to maintain ePHI.

Final

Issued by: Office for Civil Rights (OCR)

Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

Answer:

No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate.  The Privacy Rule provides that a business associate agreement (BAA) must require a business associate to return or destroy all PHI at the termination of the BAA where feasible.  45 CFR  § 164.504(e)(2)(J). 

If such return or destruction is not feasible, the BAA must extend the privacy and security protections of the BAA to the ePHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.  For example, return or destruction would be considered ‘‘infeasible’’ if other law requires the business associate CSP to retain ePHI for a period of time beyond the termination of the business associate contract.[1]

[1] 67 Fed. Reg. 53181, 53254 (August 14, 2002).

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.