Healthcare legacy data may not be accessed daily; however, there are many considerations providers need to manage to ensure they meet federal, state and condition-specific retention requirements. Bridget Group, JD, Corporate Counsel for Harmony Healthcare IT, recently discussed the key legal factors for legacy data management in a podcast with Adam Turteltaub, Vice President of Strategic Initiatives and International Programs for the Society of Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). Group noted the major risks for legacy health data management include: Security vulnerabilities as legacy systems can be weak links and ripe for cyber attacks Compliance challenges in meeting HIPAA and 21st Century Cures Act rules Keeping unstable system hardware up and running Increased technical support and maintenance costs A few of Group’s recommendations for a solid legacy data management plan include: Create a system inventory of all data – capture critical details like the system name, vendor, version #, database size, server location, operating system, etc. Review the purpose of each system Log the access requirements for each system Consider the maintenance cost schedule Create or review the Governance Board’s role and processes which should include: Update and maintain policies for retention, access, HIPAA and Cures Act Ensure a robust and ongoing training schedule is implemented within the entire organization Evaluate legacy data against the organization’s policies and determine which data should be migrated to an archive solution or a storage warehouse based on a checklist of factors (security, accessibility, anticipated future needs, HIM requirements, legal considerations, etc.) If the data has met its complete requirements for compliance, determine purging or destruction schedule. For more information on creating or updating your organization’s legacy data management plan, contact the team at Harmony Healthcare IT. Note: The information shared in this podcast is not intended to serve as a replacement for legal advice and does not create an attorney-client relationship. Should you require legal counsel, please seek guidance from your organization’s legal team.