Nivano Physicians, Inc.
Effective Date: March 11, 2026
Last Updated: March 11, 2026
Version: 1.0
Purpose
This Data Retention Policy describes how long Nivano Physicians retains different types of information — both Protected Health Information (PHI) governed by HIPAA and non-PHI personal information collected through our website and business operations. It also describes how information is securely disposed of when retention periods expire.
Scope
This policy applies to all information maintained by Nivano Physicians, Inc., including:
- Protected Health Information (PHI) in any format (electronic, paper, oral)
- Website visitor and analytics data
- Business records and administrative information
- Employment records
- Communications records
Protected Health Information (PHI) Retention
As a HIPAA-covered entity, Nivano Physicians retains PHI in accordance with federal and California state law. PHI is retained separately from general business and website data and is subject to the HIPAA Privacy Rule (45 C.F.R. §§ 164.530(j)) and the California Confidentiality of Medical Information Act (CMIA).
| Record Type | Minimum Retention Period | Governing Authority |
|---|---|---|
| Adult patient medical records | 7 years from date of last service | California Health & Safety Code § 123111 |
| Minor patient medical records | Until the patient turns 19, or 7 years from last service — whichever is longer | California Health & Safety Code § 123111 |
| HIPAA Privacy Rule compliance documentation | 6 years from date of creation or last effective date | 45 C.F.R. § 164.530(j) |
| Business Associate Agreements (BAAs) | 6 years from termination of agreement | 45 C.F.R. § 164.530(j) |
| HIPAA Notices of Privacy Practices | 6 years | 45 C.F.R. § 164.530(j) |
| Breach notification records | 6 years | 45 C.F.R. §§ 164.414, 164.530(j) |
| Authorization forms | 6 years from date created or last effective date | 45 C.F.R. § 164.530(j) |
| Accounting of disclosures records | 6 years | 45 C.F.R. § 164.528(d) |
| Patient complaint and grievance records | 6 years | HIPAA + CMS requirements |
Medicare and Medi-Cal Records Retention
As a Medicare Advantage and Medi-Cal contracted IPA and ACO REACH participant, Nivano Physicians is subject to additional CMS and DHCS records retention requirements.
| Record Type | Minimum Retention Period | Governing Authority |
|---|---|---|
| Medicare Advantage encounter and claims data | 10 years from date of service | 42 C.F.R. § 422.504(d) |
| Part D prescription drug records | 10 years | 42 C.F.R. § 423.505(d) |
| Medi-Cal provider and claims records | 7 years | 22 C.C.R. § 51476 |
| ACO REACH model participation records | 10 years minimum (consistent with CMS Medicare records requirements) | CMS REACH Model Requirements |
| Credentialing records (active providers) | Duration of credentialing cycle + 6 years | NCQA / CMS standards |
| Quality measure data reported to CMS | 10 years | 42 C.F.R. § 422.504(d) |
| Marketing materials and approvals (Medicare) | 10 years | 42 C.F.R. § 422.504(d) |
| Call recordings (beneficiary sales/enrollment calls) | 10 years | 42 C.F.R. § 422.2264 |
Website and Non-PHI Personal Information Retention
The following retention periods apply to personal information collected through our website and non-clinical business operations. These records are subject to the California Consumer Privacy Act (CCPA/CPRA).
| Data Type | Retention Period | Notes |
|---|---|---|
| Website analytics (Google Analytics 4) | 14 months | Configured in GA4 data retention settings |
| Newsletter subscriber data | Until unsubscription or deletion request | CCPA deletion requests honored within 45 days |
| Contact form submissions | 24 months | Deleted after business inquiry is resolved |
| Job application records (not hired) | 12 months from application date | Longer if required by California employment law |
| Job application records (hired) | Duration of employment + 7 years | Per California employment record requirements |
| Cookie and tracking data | Session cookies: expire at end of session; Analytics cookies: 14 months | Controlled via Cookie Policy |
| Compliance training records | 5 years | Fraud, waste, and abuse; HIPAA training documentation |
Administrative and Business Records Retention
| Record Type | Retention Period | Governing Authority |
|---|---|---|
| Corporate formation documents | Permanent | California Corporations Code |
| Board minutes and resolutions | Permanent | California Corporations Code |
| Contracts and agreements | 7 years from expiration | California statute of limitations |
| Financial records and tax returns | 7 years | IRS / California FTB guidance |
| Provider network agreements | 7 years from termination | Best practice |
| Insurance policies | Permanent (claims-made) / 7 years (occurrence) | — |
| Employment records (wages, hours) | 3 years | California Labor Code § 1174 |
Secure Disposal
When retention periods expire, Nivano Physicians disposes of records in a manner that protects patient and individual privacy:
Electronic Records:
- PHI: Secure deletion using NIST SP 800-88 standards (overwriting, degaussing, or physical destruction of media)
- Non-PHI: Secure deletion per IT security procedures
Paper Records:
- PHI and sensitive records: Cross-cut shredding or third-party shredding service with certificate of destruction
- Non-sensitive records: Standard recycling
Disposal Documentation:
Records of disposal, including certificates of destruction for PHI, are retained for at least 6 years per HIPAA requirements.
Legal Hold
If Nivano Physicians receives notice of actual or anticipated litigation, regulatory investigation, or audit, the records at issue must be preserved beyond their normal retention period until the legal hold is released by the Privacy Officer or General Counsel. Normal deletion procedures are suspended for records subject to a legal hold.
Responsibility and Oversight
The Chief Privacy Officer is responsible for overseeing implementation of this policy and coordinating with department heads to ensure compliance. Department managers are responsible for ensuring records within their areas are retained and disposed of in accordance with this policy.
Policy Review
This policy will be reviewed at least annually and updated as needed to reflect changes in applicable law, CMS requirements, or organizational operations.
Questions
For questions about this policy or to request information about retention of your personal data, contact:
Nivano Physicians Privacy Officer
2554 Millcreek Dr., Suite 100, Sacramento, CA 95833
Phone: (916) 407-2000
Email: compliance@nivanophysicians.com
This policy was last approved on March 11, 2026 by Compliance Department.