Data Retention Schedule

IMPORTANT: PatientSwaps Role Under HIPAA
PatientSwaps operates as a Business Associate under HIPAA (45 C.F.R. Parts 160 and 164), not as a Covered Entity. PatientSwaps is a healthcare technology platform that provides algorithmic bed-matching and transfer matching software for skilled nursing facilities. PatientSwaps is not a healthcare provider, patient broker, referral agency, placement service, medical advisor, or care coordinator. This Data Retention Schedule governs how long PatientSwaps retains different categories of data collected or processed through the platform.

1. Purpose & Scope

This Data Retention Schedule describes the retention periods for all categories of data processed by the PatientSwaps platform, including Protected Health Information (PHI), facility operational data, de-identified records, and financial data.

Retention periods are determined by the following factors:

HIPAA requirements for Business Associates (45 C.F.R. § 164.530(j) — 6 years for policies, procedures, and documentation)
Colorado state record retention requirements
Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) — data minimization and purpose limitation
Anti-Kickback Statute (42 U.S.C. § 1320a-7b) and Colorado Anti-Kickback Law (C.R.S. § 24-31-809) — documentation of fee structures, technology services agreements, and commercial reasonableness
IRS requirements for financial and tax records
Legitimate business operational needs

2. Data Retention Schedule

2.1 Protected Health Information (PHI)

PHI is stored exclusively in BAA-covered systems (Google Workspace — Gmail, Sheets, Drive, Apps Script) and Jotform (HIPAA Gold). PHI never enters Airtable, Make.com, or Stripe.

Data Category	Examples	Storage Location	Retention Period	Disposal Method
PHI Patient Transfer Records	Patient names linked to facility assignments, transfer dates, matching results	Google Sheets (Master PHI)	6 years from transfer completion	Secure deletion with audit log
PHI Clinical Coordination Emails	Emails between facilities containing patient-identifiable transfer details	Gmail (hello@careswaps.com), Paubox	6 years from communication date	Secure deletion with audit log
PHI HIPAA Consent & BAA Records	Signed BAAs, HIPAA authorizations, consent forms	Google Drive	6 years from termination of agreement or last service date, whichever is later	Secure deletion with audit log

2.2 Facility Information

Business information about facility clients. Facility names, contacts, and operational details are business data (not PHI).

Data Category	Examples	Storage Location	Retention Period	Disposal Method
FAC Facility Profile Data	Facility name, address, contact person, phone, email, bed count, payer types accepted	Airtable (Facilities table), CRM Sheet	Duration of active subscription + 3 years	Standard deletion
FAC Facility Account Credentials	Login emails, portal access credentials	Google Workspace	Duration of account + 1 year	Secure deletion
FAC Facility Marketing Leads	Names, emails, facility info from cold outreach or demo requests	CRM Sheet, Instantly.ai (getpatientswaps.com only)	2 years from last engagement, or upon opt-out	Deletion from all systems

2.3 De-Identified Operational Data

De-identified data compliant with HIPAA Safe Harbor (45 C.F.R. § 164.514(b)). Contains no direct patient identifiers.

Data Category	Examples	Storage Location	Retention Period	Disposal Method
OPS Swap Records (De-Identified)	Swap IDs (SW-###), status, facility names, dates, bed counts	Airtable (no BAA — de-identified only)	7 years from swap completion	Standard deletion
OPS Matching Query Logs	Query counts per facility, tier usage, overage calculations	Google Workspace, Make.com	3 years	Automated purge
OPS Platform Analytics	Occupancy metrics, payer mix data, swap chain statistics (aggregated)	Google Workspace	Indefinite (aggregated, non-identifiable)	N/A — no individual identifiers
OPS Automation Logs	Make.com scenario execution logs, webhook payloads (de-identified IDs only)	Make.com	30 days (Make.com default), extended logs in Google Drive for 2 years	Automatic platform purge / manual deletion

2.4 Financial & Billing Records

Data Category	Examples	Storage Location	Retention Period	Disposal Method
FIN Platform Subscription Payments	Stripe customer IDs, subscription IDs, payment amounts, tier levels	Stripe (exempt for payment processing), Airtable (Stripe IDs only)	7 years (IRS requirement)	Per Stripe policies / standard deletion
FIN Subscription Invoices	Platform subscription charges, tier upgrade records	Stripe, Google Drive	7 years	Secure deletion
FIN Technology Services Agreements	Facility contracts with pricing, tier selection, included query allowances	Google Drive	Duration of agreement + 6 years	Secure deletion with audit log

2.5 Legal & Compliance Records

Data Category	Examples	Storage Location	Retention Period	Disposal Method
Business Associate Agreements	BAAs with facility clients	Google Drive	6 years from termination (HIPAA requirement)	Secure deletion with audit log
HIPAA Policies & Procedures	Privacy policies, security procedures, breach response plans	Google Drive	6 years from date superseded or last effective	Secure archival then deletion
AKS Compliance Documentation	Fee structure documentation, FMV opinions, legal opinion letters, commercial reasonableness analyses	Google Drive	Indefinite (retain for duration of business operations + 10 years)	Secure archival
Transport Partner Agreements	Credentialing agreements, directory listing terms	Google Drive	Duration of agreement + 6 years	Secure deletion
Audit Logs	PHI access logs, system access records, data modification logs	Google Workspace, Airtable (Audit Log table)	6 years	Secure deletion
Breach Notifications	Breach investigation records, notification documentation, corrective actions	Google Drive	6 years from breach resolution	Secure deletion with audit log
Data Subject Requests	Access, deletion, correction requests under CPA/CCPA	Google Sheets, Gmail	3 years from request fulfillment	Secure deletion

3. Retention Principles

3.1 Minimum Necessary Standard

PatientSwaps applies the HIPAA minimum necessary standard to data retention. Data is retained only as long as necessary to fulfill the purpose for which it was collected, comply with legal obligations, or meet legitimate business needs. When retention periods expire, data is promptly disposed of using the designated method.

3.2 Data Minimization

Consistent with the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), PatientSwaps limits the collection and retention of personal data to what is adequate, relevant, and reasonably necessary for the specified purposes.

3.3 De-Identification Preference

Where feasible, PatientSwaps converts PHI to de-identified format under HIPAA Safe Harbor (45 C.F.R. § 164.514(b)) when the identifiable form is no longer required. De-identified data may be retained for longer periods for platform analytics, occupancy trend analysis, and network improvement without the risks associated with identifiable data.

3.4 Clinical Decision Firewall

PatientSwaps does not retain clinical acuity data, diagnosis codes, treatment plans, or clinical notes. The matching algorithm uses only operational factors (bed availability, payer acceptance, geographic proximity, timing). Any clinical data inadvertently received is deleted within 72 hours and logged as an incident.

3.5 Legal Hold Override

If PatientSwaps receives a litigation hold, government investigation notice, or audit notification, the scheduled disposal of relevant data will be suspended until the hold is released. The PatientSwaps Privacy Officer is responsible for implementing and communicating legal holds.

4. Disposal Methods

Method	Description	Used For
Secure Deletion with Audit Log	Permanent deletion from all systems (including backups within 90 days) with written record of deletion event, data categories destroyed, date, and authorizing party.	PHI, HIPAA documentation, BAAs, AKS records
Secure Deletion	Permanent deletion from all systems. No recovery possible after 90-day backup cycle.	Facility PII, financial records, account data
Standard Deletion	Deletion from primary systems. May persist in automated backups per platform retention.	De-identified operational data, non-sensitive records
Automated Purge	System-managed expiration per platform settings (e.g., Make.com 30-day log retention).	Automation logs, temporary processing data

5. Facility Rights & Individual Rights

5.1 Facility Data Rights

Facility clients may request:

Data Export: A complete export of all facility data held by PatientSwaps, in a portable format.
Data Deletion: Deletion of facility data upon subscription termination, subject to legal retention requirements.
Access Logs: Records of who accessed facility-related data and when.

5.2 Individual Rights (Colorado Privacy Act / CCPA)

Individuals whose data is processed through the platform have the right to:

Access: Request confirmation of whether PatientSwaps processes their personal data and obtain a copy.
Deletion: Request deletion of personal data, subject to HIPAA and other legal retention requirements.
Correction: Request correction of inaccurate personal data.
Data Portability: Obtain personal data in a portable, readily usable format.
Opt-Out: Opt out of the processing of personal data for targeted advertising, sale, or profiling. PatientSwaps does not sell personal data or engage in targeted advertising.

To exercise any of these rights, contact: privacy@patientswaps.com

                Note on PHI Retention: Certain health information may be subject to minimum retention requirements under HIPAA (6 years for Business Associate documentation). If deletion is requested and a legal obligation requires continued retention, PatientSwaps will notify the requesting party of the specific obligation and the expected date when deletion can occur. Access to such data will be restricted to the minimum necessary during the extended retention period.
            

6. Review & Updates

This Data Retention Schedule is reviewed at least annually and updated to reflect changes in legal requirements, business operations, or data processing activities. Material changes will be communicated via the PatientSwaps website and, where required, by direct notice to affected facility clients.

Questions about this schedule should be directed to: privacy@patientswaps.com

7. Governing Law

This Data Retention Schedule is governed by the laws of the State of Colorado, including the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), the Colorado Anti-Kickback Law (C.R.S. § 24-31-809), and applicable provisions of HIPAA (45 C.F.R. Parts 160 and 164) and the Anti-Kickback Statute (42 U.S.C. § 1320a-7b). In the event of a conflict between this schedule and applicable law, the law controls.