Retention Guidelines for Protected Data

University data is protected by state and federal law and University policies and procedures. Descriptions, classification examples and retention schedule recommendations of types of University's protected data follow below. Every University employee is responsible for safeguarding the confidentiality, integrity, and accuracy of protected data. University employees should know what kind of data is protected and what security measures protected data require.

Health Insurance Portability and Accountability Act (HIPAA)

Protected Health Information

Congress passed the Health Information Portability and Accountability Act of 1996 In response to growing concerns about keeping health information private. HIPAA requires agencies that maintain medical records to protect privacy and create standards for the transfer of health data. Agencies are required to follow rules to protect the privacy of medical records. Employees are not allowed to access health information unless they need the information to perform their jobs. Accepted uses of health information include: treatment, payment, or for use for health care operations (e.g. quality assessment, licensing and credentialing, etc.). Any other health information disclosure requires the patient's written consent. Employees must fulfill training requirements for the protection of spoken, written, or digital health information.


Retention: While it is recommended that all medical records be kept forever, HIPAA does not impose retention requirements. Archival guidelines recommend that all medical records should be kept forever. If permanent retention is impractical, medical records should be retained for a minimum of 10 years after the last date of treatment or 10 years after the patient reaches age of majority, whichever occurs later.

Family Educational Rights and Privacy Act (FERPA)

Student Records

The Family Education Rights and Privacy Act was enacted in 1974 in order to protect the privacy of student educational records and to allow students and parents greater access to education records. FERPA requires schools to keep education records confidential. Schools must prevent disclosure to third parties and must have a policy in place that provides access to records for students' parents and to students over the age of 18. Educational records are defined as “those records, files, documents, or other materials which contain information directly related to a student, and are maintained by an educational agency or institution or by a person acting for such agency or institution”. FERPA also forbids the disclosure of “personally identifiable information” such as student's or parent's name, address, social security number, or any other information that may reveal a student'’'s identity.



Student Loans: Retain records related to student loans, including applications, approvals, disbursements, repayments, etc. while active plus 6 years. The length of retention is at the discretion of individual department as long as minimum requirements are met. Records should be destroyed using a method that maintains confidentiality.

Gramm-Leach-Bliley Act – GLBA

Personal Financial Records

The Gramm-Leach-Bliley Act of 1999 relates to the protection of personal financial information held by financial institutions. The GLB Act broadly defines “financial institution” as any institution engaged in financial activities on behalf of consumers. Higher education institutions that process student loans are considered financial institutions under the Act. Protected information goes beyond financial aid records. It includes personal financial information collected by the university, faculty, students, staff, and others. Protected financial information includes financial aid records, credit card and personal check information, salary information and tax records. University offices that maintain protected financial information are required to identify themselves to the Computing and Telecommunications Services, Information Security Officer.


Retention: GLB does not impose a specific retention requirement for protected financial records. Retention schedules vary depending on type of record. For specific retention requirements, refer to departmental records retention schedules or the University General Schedule. Examples include:

Other Protected Information