Health Screening Data Retention: Insurance Compliance Guide

Health screening data retention insurance compliance has become one of those operational headaches that no one in the insurance industry particularly wants to own, but everyone needs to figure out. As carriers adopt digital health assessments and phone-based biometric screening to replace paramedical exams, they are collecting entirely new categories of data. And the regulatory frameworks governing how long you keep that data, who can access it, and when you destroy it were largely written before anyone imagined an insurance applicant would scan their face with a smartphone camera to get a life insurance policy.

According to a 2026 analysis by Sprinto, HIPAA requires covered entities to retain specific documentation for a minimum of six years from the date of creation or the date it was last in effect, whichever is later. But state-level requirements often extend well beyond that federal floor.

The regulatory patchwork carriers actually face

The first thing to understand about health screening data retention is that there is no single rule. Insurance carriers operate under overlapping federal, state, and sometimes international data retention mandates, and the obligations shift depending on the type of data collected, the jurisdiction where the applicant resides, and the specific screening methodology used.

At the federal level, HIPAA sets the baseline. The HIPAA retention requirements apply to specific administrative documents including policies, procedures, access logs, risk assessments, and authorization records. The six-year minimum is well-established, and as the HIPAA Journal noted in a January 2026 update, this requirement applies from the date of creation or from the date on which the document was last in effect.

But HIPAA does not actually mandate how long you retain medical records themselves. That question falls to the states. And this is where it gets messy.

State-level medical record retention laws vary from five years (in some states) to a patient reaching age 28 or 30 for pediatric records. For insurance purposes, the NAIC has published model laws on records maintenance, but adoption varies across states. Some states require insurance companies to maintain underwriting files for the life of the policy plus a specified period after termination. Others set fixed windows.

The table below breaks down retention requirements across the major regulatory layers:

Regulatory framework	Scope	Retention period	What it covers
HIPAA (federal)	Administrative documents	6 years from creation or last effective date	Policies, procedures, access logs, risk assessments, authorizations
HIPAA (federal)	Medical records	Not specified by HIPAA	Defers to state law
State medical record laws	Clinical/health records	5-10 years (varies by state; longer for minors)	Patient health records, screening results, lab data
NAIC model regulation	Insurance records	Life of policy + 3-7 years post-termination (varies)	Underwriting files, applications, correspondence
Illinois BIPA	Biometric identifiers	3 years after last interaction or purpose fulfilled	Fingerprints, retina scans, facial geometry, voiceprints
Texas CUBI	Biometric identifiers	Destroy when purpose fulfilled	Biometric data captured for commercial purposes
Washington WBPL	Biometric identifiers	Reasonable retention schedule required	Biometric data used in commercial context
GDPR (if EU applicants)	All personal data	Purpose-limited retention	Any personal data including health and biometric
CCPA/CPRA (California)	Consumer personal information	Purpose-limited + disclosure obligations	Health data, biometric data, inferences drawn

What this means in practice: a carrier using digital health screening across multiple states needs to track retention obligations at the state level for every applicant. A New York applicant's screening data may have different retention rules than a Texas applicant's, and both differ from someone screened in Illinois.

Why digital screening creates new compliance questions

Traditional paramedical exams generated a fairly standard set of records: blood panel results, urine analysis, blood pressure readings, height, weight, and an examiner report. Carriers have decades of experience managing these records under existing retention frameworks.

Digital health screening introduces data types that do not fit neatly into those existing categories. When an applicant completes a phone-based biometric capture session using remote photoplethysmography (rPPG), the carrier may be collecting:

• Raw video footage of the applicant's face
• Extracted cardiovascular signal data (heart rate, heart rate variability, blood pressure estimates)
• Facial geometry data used for signal processing
• Device metadata (phone model, camera specifications, ambient lighting conditions)
• Session timestamps and geolocation data
• Algorithmic confidence scores and quality metrics

The raw video footage and facial geometry data are where things get complicated. Under Illinois' Biometric Information Privacy Act (BIPA), facial geometry qualifies as a biometric identifier. A November 2022 Illinois appellate court ruling established that any entity possessing biometric data must develop and publicly disclose a retention and destruction schedule. BIPA requires that biometric identifiers be destroyed when the initial purpose for collection has been satisfied or within three years of the individual's last interaction with the entity, whichever comes first.

For an insurance carrier, "the initial purpose" is underwriting the policy. But what happens after the policy is issued? If the carrier retains raw facial geometry data indefinitely as part of the underwriting file, they may be violating BIPA. If they destroy it too early, they may lose data needed for regulatory audits or litigation defense.

This tension between "keep everything for compliance" and "destroy biometric data promptly" is something most insurance compliance teams are still working through.

Building a data classification framework for screening records

The practical solution most compliance teams are landing on involves classifying digital health screening data into tiers with different retention rules. Not all data generated during a screening session carries the same regulatory weight or the same risk profile.

Tier 1: Underwriting decision data

This includes the extracted vital sign readings, risk scores, and algorithmic outputs that actually inform the underwriting decision. These are analogous to traditional lab results and should follow whatever retention period applies to underwriting files in each jurisdiction. For most carriers, that means retaining them for the life of the policy plus a post-termination buffer.

Tier 2: Session metadata and quality records

Device information, session timestamps, quality metrics, and confidence scores. These records support audit trails and may be needed to demonstrate that the screening was conducted properly. Retention here typically aligns with the carrier's general records retention policy, often seven to ten years.

Tier 3: Raw biometric data

Video footage, facial geometry, and any raw signal data that could identify the individual. This is the category where biometric privacy laws apply most directly. The approach gaining traction among carriers operating in BIPA-covered states is to process the raw data in real time, extract the health metrics needed for underwriting, and then destroy the raw biometric data within a defined window, often 30 to 90 days, once quality assurance checks are complete.

Tier 4: De-identified aggregate data

Anonymized, aggregated screening data used for actuarial modeling and product development. Once properly de-identified under HIPAA's safe harbor or expert determination standards, this data falls outside most retention restrictions and can be retained indefinitely.

What HIPAA's 2026 updates mean for screening data

Hall Render's March 2026 analysis of healthcare privacy law developments highlighted several changes that affect digital health screening operations. The most relevant is the finalization of rules aligning 42 CFR Part 2 (substance use disorder records) with general HIPAA protections, which simplifies some aspects of health data management but does not directly alter retention timelines.

More consequential for insurers is the continued rollout of state-level comprehensive privacy laws. As of early 2026, more than a dozen states have enacted or are implementing consumer privacy statutes that include health data provisions. Several of these laws impose purpose-limitation requirements on data retention, meaning carriers cannot simply retain health screening data indefinitely "just in case." They need a documented business purpose for ongoing retention, and they need to destroy the data when that purpose expires.

The practical impact: carriers need retention schedules that are not just legally defensible but actively maintained. A static policy written three years ago probably does not account for the biometric privacy laws enacted since then.

The real-world compliance workflow

For carriers implementing digital health screening, the compliance workflow looks something like this:

• At collection: Inform the applicant what data is being collected, why, and how long it will be retained. Obtain any required consents (BIPA requires written informed consent before collecting biometric identifiers).
• During processing: Extract underwriting-relevant health metrics from raw screening data. Run quality assurance checks. Separate Tier 1 through 4 data categories.
• Post-underwriting decision: Destroy Tier 3 (raw biometric) data according to the applicable retention schedule. Archive Tier 1 and Tier 2 data with the underwriting file.
• Ongoing: Run automated retention schedule checks. Flag records approaching their destruction date. Maintain audit logs of all data destruction events.
• On policy termination: Begin the post-termination retention countdown for underwriting file data. Confirm that all biometric data was previously destroyed per schedule.

This sounds straightforward on paper. In practice, most carriers discover that their existing records management systems were not designed to handle tiered retention schedules with different rules for different data types within the same file. Legacy systems tend to treat the entire underwriting file as a single unit with a single retention date.

Current research and evidence

Research from the International Association of Privacy Professionals (IAPP) indicates that the intersection of insurance, health data, and biometric privacy remains an area of active regulatory development. Their 2025 State Privacy Legislation Tracker documented biometric data provisions in privacy laws across Illinois, Texas, Washington, Colorado, Connecticut, and several other states, with additional legislation pending in more than a dozen others.

The Deloitte Center for Financial Services published a 2024 report on data governance in insurance that found only 38% of surveyed carriers had fully documented data retention schedules covering digital health screening data. The remainder were either applying general retention policies without specific provisions for biometric data, or had not yet addressed the question.

Dr. Daniel Solove, a professor at George Washington University Law School and one of the leading scholars on information privacy, has written extensively on the challenges of applying existing privacy frameworks to new categories of biometric and health data. His work makes clear that retention policies need to be treated as living documents, revisited whenever new data types are introduced or new jurisdictions enter the picture.

The future of health screening data governance

Two trends are converging that will reshape how carriers think about screening data retention over the next several years.

First, the continued expansion of state biometric privacy laws. Illinois BIPA was an outlier when it was enacted in 2008. It is no longer an outlier. The pattern of state-level biometric regulation is accelerating, and carriers using facial-analysis-based screening need to plan for a future where BIPA-style obligations exist in most states, not just a handful.

Second, the shift toward edge processing and data minimization by design. Technology providers in the digital screening space are increasingly processing biometric data on the applicant's device rather than transmitting raw video to cloud servers. This approach, where raw facial data never leaves the phone and only extracted health metrics are transmitted to the carrier, substantially reduces the compliance surface area. If the carrier never possesses raw biometric identifiers, many biometric privacy obligations do not apply.

Circadify's approach to contactless health screening reflects this direction. By capturing vital signs through the applicant's smartphone camera and extracting health metrics locally, the architecture is designed with data minimization at its foundation. For carriers evaluating digital screening vendors, the data processing architecture is not just a technical detail; it is a compliance differentiator.

For a deeper look at how digital screening integrates into the underwriting workflow, see our analysis of how to integrate health screening into your insurance application flow.

Frequently Asked Questions

How long must insurance companies retain health screening data under HIPAA?

HIPAA requires retention of specific administrative documents for six years, but it does not set a federal retention period for medical records themselves. Medical record retention is governed by state law, which typically ranges from five to ten years. Insurance underwriting files are subject to additional state insurance regulations, often requiring retention for the life of the policy plus a post-termination period. Carriers need to check the specific requirements in every state where they operate.

Does biometric data from digital health screening fall under BIPA?

If the screening captures facial geometry or other biometric identifiers, and the applicant is an Illinois resident, then yes. BIPA requires written informed consent before collection, a publicly available retention and destruction schedule, and destruction of biometric data when its purpose is fulfilled or within three years of the last interaction. Other states have enacted or are considering similar laws, so BIPA compliance is increasingly treated as a baseline rather than an exception.

Can carriers retain raw video from phone-based health screenings indefinitely?

Not advisable, and in many jurisdictions, not legal. Raw video containing facial imagery qualifies as biometric data under several state laws. Best practice is to extract the health metrics needed for underwriting in real time, run quality checks within a defined window, and then destroy the raw video. Many carriers are adopting 30 to 90 day raw data retention windows before mandatory destruction.

What happens if a carrier fails to comply with data retention regulations?

Penalties vary by jurisdiction and regulation. HIPAA violations can result in fines from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. BIPA allows private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, which has produced several high-profile class action settlements exceeding $200 million. State insurance regulators can impose separate penalties including fines, corrective action orders, and in severe cases, license revocation.