Reporting Data Retention: PHI vs. Non-PHI

Data retention and protected health information (PHI) inclusion vary by tenant based on the combination of the following two permissions:

  • Reporting permission: Indicates that data can be stored and reported on with PHI intact until that data has reached its reporting retention period.

    Note that the reporting retention period is specified in the tenant catalog.

    • The default is 365 days for Patient Risk Surveillance customers granting reporting permission.
    • The default is 90 days for non-Patient Risk Surveillance customers granting reporting permission.
  • Long Term Storage Permission: Indicates that the data can be stored and reported on for any duration of time, with the restriction that the data is de-identified.
Note: Written requests for a patient's data to be purged will result in the patient data being removed, regardless of any permissions or retention configuration.

Regardless of the permissions granted, patient contextual data will not be retained beyond 5 years of the context coming to a close (meaning, the Encounter discharge date or the Episode of Care end date). Patient contextual data includes, but is not limited to, the following Fast Healthcare Interoperability Resources (FHIR) entities that reference an Encounter or Episode of Care.

  • Care Team
  • Communication
  • Condition
  • MedicationRequest
  • MedicationAdministration
  • Observation
  • Procedure
  • ProcedureRequest
  • Encounter
  • EpisodeOfCare

Regardless of the permissions granted, patient non-contextual data will not be retained beyond 5 years of its last modified time. Patient non-contextual data includes, but is not limited to, the following FHIR entities:

  • Device
  • Patient
  • Any of the FHIR entities listed under patient contextual data that reference the patient, but have no context when populated.