18. Data Retention Policy

Despite not being a requirement within HIPAA, Luma understands and appreciates the importance of health data retention. Acting as a subcontractor, and at times a business associate, Luma is not directly responsible for health and medical records retention as set forth by each state. Despite this, Luma has created and implemented the following policy to make it easier for Luma Customers to support data retention laws.

18.1 State Medical Record Laws

• Listing of state requirements for medical record retention

18.2 Data Retention Policy

• Current Luma Customers have data stored by Luma as a part of the Luma Service.
• Once a Customer ceases to be a Customer, as defined System Access Policy §7.11, the following steps are taken
  1. Customer is sent a notice via email to confirm the status change and given option to get an extract of data.
  2. If no response to notice in #1 above within 7 days or as determined appropriate based on Customer response, Luma removes data from Luma systems per internal procedures and Customer is sent notice of removal of data.
  3. If Customer requests data extract, the extract is made available for download for 30 days after which the extract is deleted.
• Luma documents and maintains designated record sets that are subject to access by individuals.
  1. Records include titles of the persons or office responsible for receiving and processing requests for access
  2. Relevant record set
  3. Records are retained indefinitely in Google Drive
• Accountings of authorized disclosure are retained indefinitely. Records include:
  1. Information required for disclosure;
  2. Written accounting provided to the individual;
  3. Titles of the persons or offices responsible for receiving and processing requests
• Luma retains its formal Policies and Proedures including a record of changes indefinitely
  1. Public Policies, such as Luma’s HIPAA Compliance Policies are available at https://policy.lumahealth.io
  2. Internal Policies and Procedures are stored in Luma’s internal Wiki
• Luma maintains compliance with notice requirements by keeping a copy of all notices issued by Luma for at least six years
  1. Copies of notices are stored in a Google Drive with appropriate permissions assigned
  2. If applicable, any acknowledgements of these notices shall also be stored here
• Luma documents any restrictions in writing electronically and retains any such records for a minimum of 6 years
  1. Restrictions are documented and stored in a restricted Google Drive folder
• Luma adheres to the legal, regulatory, and business requirements for data retention including:
  1. Secure deletion of data when no longer needed for legal, regulatory, or business reasons, and
  2. A process for identifying and securely deleting stored data that exceeds defined retention requirements, as defined in Disposable Media Policy §14.2

18.3 Cardholder Data Storage Security

All systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):

• Sensitive authentication data is deleted or rendered unrecovable after authorization including;
  • The card verification code
  • The personal identification number (PIN) or the encrypted PIN block