Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

Answer:

No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate.  The Privacy Rule provides that a business associate agreement (BAA) must require a business associate to return or destroy all PHI at the termination of the BAA where feasible.  45 CFR  § 164.504(e)(2)(J). 

If such return or destruction is not feasible, the BAA must extend the privacy and security protections of the BAA to the ePHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.  For example, return or destruction would be considered ‘‘infeasible’’ if other law requires the business associate CSP to retain ePHI for a period of time beyond the termination of the business associate contract.^[1]