Skip to main content

Retention Overview

Rubric provides flexible data retention controls that balance regulatory requirements, operational needs, and patient privacy rights. All deletion operations are cryptographically verified and audited.

Configurable Policies

Set retention periods by data type, project, or regulatory requirement.

Legal Hold

Suspend deletion for litigation or investigation with legal holds.

Secure Deletion

Cryptographic erasure ensures data is unrecoverable after deletion.

Patient Rights

Support GDPR right to erasure and patient deletion requests.

Default Retention Periods

Rubric applies sensible default retention periods based on healthcare regulatory requirements. These can be customized per project or organization.
Data TypeDefault RetentionRegulatory BasisConfigurable Range
Call Transcripts7 yearsHIPAA (6 years) + buffer1-10 years
Audio Recordings3 yearsBusiness need6 months - 7 years
DICOM Studies7 yearsState medical records laws5-10 years
Evaluation Results7 yearsHIPAA (6 years) + buffer1-10 years
Clinical Annotations7 yearsMedical records retention1-10 years
Audit Logs7 yearsHIPAA (6 years) + bufferNon-configurable
De-identified DataIndefiniteNot PHIIndefinite or custom
Temporary Files24 hoursOperational1-72 hours
Minimum Retention Requirements: Certain data types have minimum retention periods that cannot be reduced below regulatory requirements. Audit logs, for example, must be retained for at least 6 years per HIPAA requirements.

Configuring Retention Policies

Organization-Level Policies

org_retention_policy.py
from rubric import Rubric
from rubric.retention import RetentionPolicy, DataType

client = Rubric()

# View current organization retention policy
current_policy = client.retention.get_policy(scope="organization")

print("Current Organization Retention Policy:")
for data_type, config in current_policy.items():
    print(f"  {data_type}: {config.retention_period}")

# Update organization retention policy
updated_policy = client.retention.update_policy(
    scope="organization",
    policies=[
        RetentionPolicy(
            data_type=DataType.CALL_TRANSCRIPT,
            retention_period="7y",  # 7 years
            archive_after="1y",     # Move to cold storage after 1 year
            deletion_method="cryptographic_erasure"
        ),
        RetentionPolicy(
            data_type=DataType.AUDIO_RECORDING,
            retention_period="3y",
            archive_after="6m",
            deletion_method="cryptographic_erasure"
        ),
        RetentionPolicy(
            data_type=DataType.EVALUATION_RESULT,
            retention_period="7y",
            archive_after="2y",
            deletion_method="cryptographic_erasure"
        )
    ]
)

print("\nRetention policy updated successfully")

Regulatory Templates

regulatory_templates.py
from rubric import Rubric

client = Rubric()

# List available regulatory templates
templates = client.retention.list_templates()

for template in templates:
    print(f"{template.name}:")
    print(f"  Jurisdiction: {template.jurisdiction}")
    print(f"  Regulations: {', '.join(template.regulations)}")

# Apply a regulatory template
client.retention.apply_template(
    template="hipaa_standard",
    scope="organization",

    # Customize specific settings
    overrides={
        "audio_recordings": "5y"  # Extend beyond template default
    }
)

# Available templates:
# - hipaa_standard: US HIPAA requirements
# - hipaa_research: HIPAA + research requirements
# - gdpr_healthcare: EU GDPR for healthcare
# - state_california: California CCPA + medical records
# - state_texas: Texas medical records requirements

Data Lifecycle

Data moves through defined lifecycle stages from active use through archival and eventual deletion.

Storage Tiers

TierDurationAccess SpeedCostFeatures
Active (Hot)0-90 daysMilliseconds$$$Full indexing, real-time queries
Warm90 days - 1 yearSeconds$$Partial indexing, dashboard access
Cold Archive1-7 yearsMinutes to hours$Retrieval on request, compliance storage
Deletion Queue30-day holdN/AN/AFinal review before permanent deletion

Secure Deletion

Rubric uses cryptographic erasure to ensure deleted data is permanently unrecoverable. This exceeds NIST guidelines for secure data destruction.

Manual Deletion

manual_deletion.py
from rubric import Rubric

client = Rubric()

# Delete specific records (requires elevated permissions)
deletion_request = client.retention.delete_records(
    # Records to delete
    records=[
        {"type": "call", "id": "call_abc123"},
        {"type": "call", "id": "call_def456"},
        {"type": "evaluation", "id": "eval_ghi789"}
    ],

    # Deletion settings
    method="cryptographic_erasure",

    # Reason for deletion (required for audit)
    reason="Patient deletion request under GDPR Article 17",

    # Reference to request ticket
    ticket_id="TICKET-12345",

    # Skip 30-day hold (requires compliance officer approval)
    skip_hold=False
)

print(f"Deletion request: {deletion_request.id}")
print(f"Status: {deletion_request.status}")
print(f"Records queued: {deletion_request.record_count}")

# Get deletion certificate
certificate = client.retention.deletion_certificate(deletion_request.id)
print(f"\nDeletion Certificate:")
print(f"  Certificate ID: {certificate.id}")
print(f"  Records deleted: {certificate.record_count}")
print(f"  Method: {certificate.deletion_method}")
print(f"  Completed: {certificate.completed_at}")

# Export certificate as PDF
certificate.export_pdf("deletion_certificate.pdf")
Legal holds suspend automatic deletion for data that may be relevant to litigation, investigations, or regulatory inquiries.
legal_holds.py
from rubric import Rubric

client = Rubric()

# Create a legal hold
legal_hold = client.retention.create_legal_hold(
    name="Smith v. Hospital - Discovery",

    # Scope of hold
    scope={
        "projects": ["patient-triage"],
        "date_range": {
            "start": "2023-06-01T00:00:00Z",
            "end": "2023-12-31T23:59:59Z"
        },
        "patient_ids": ["PAT-12345", "PAT-67890"],
        "include_related": True  # Include all related records
    },

    # Hold details
    matter_name="Smith v. Regional Hospital",
    matter_number="CASE-2024-001",
    custodian="[email protected]",

    # Hold duration
    expires_at=None,  # Indefinite until released

    # Notifications
    notify_on_access=True,
    notify_email=["[email protected]"]
)

print(f"Legal hold created: {legal_hold.id}")
print(f"Records preserved: {legal_hold.record_count}")
print(f"Status: {legal_hold.status}")
Legal Hold Priority: Legal holds take absolute priority over all retention policies. Data under legal hold cannot be deleted by any means, including patient deletion requests, until the hold is properly released by authorized personnel.

Best Practices

PracticeDescription
Use Regulatory TemplatesStart with pre-built templates for HIPAA, GDPR, or state requirements.
Document Retention DecisionsRecord the rationale for all retention period decisions.
Regular Policy ReviewsReview retention policies quarterly with compliance and legal teams.
Automate ArchivalSet up automatic archival to optimize storage costs.
Test Retrieval ProcessPeriodically test archived data retrieval to ensure accessibility.
Train on Deletion RequestsEnsure staff knows how to handle patient deletion requests properly.