Overview

Mosio retains messaging data and associated records to comply with healthcare regulations including HIPAA and FDA requirements. This document outlines what data is retained, how long it is kept, and the legal requirements that govern these practices.

What Data is Retained

Mosio retains both message content and metadata:

Message Content:

• SMS message text (inbound and outbound)
• Participant responses and system-generated messages
• Opt-in/opt-out records and consent documentation

Metadata:

• Participant phone numbers and identifiers
• Message timestamps and delivery status
• Campaign and study identifiers
• System audit logs and transaction records

Retention Periods

Production System

• Active Accounts: Data remains in the production system for the life of the account
• Deactivated Accounts: Data is removed from production during regular maintenance periods following account deactivation

Backup Systems

• Minimum Retention: 6 years after account closure
• Format: Full encrypted database snapshots
• Deletion Limitations: Backups are complete database dumps and cannot be partially modified to remove individual participant records

Legal Requirements

HIPAA Compliance (45 CFR Parts 160 and 164)

Under HIPAA's Security Rule (45 CFR § 164.316) and Privacy Rule (45 CFR § 164.530), covered entities and business associates must retain:

• Documentation of policies, procedures, and compliance activities
• Security incident logs and risk assessments
• Business associate agreements and related documentation

Retention Period: Minimum of 6 years from the date of creation or when last in effect, whichever is later

Reference: HHS HIPAA FAQs

FDA Regulations (21 CFR Part 11 and Predicate Rules)

For clients conducting FDA-regulated clinical trials, electronic records must be retained according to applicable predicate rules:

• Clinical trial data (21 CFR 312): Minimum of 2 years following final disposition of the investigational drug
• Medical device studies (21 CFR 820): Minimum of 2 years after commercial distribution
• Other pharmaceutical records (21 CFR 211.180): Varies by record type, typically 1-7 years after product expiration

Mosio's 6-year retention period meets or exceeds these requirements for most use cases.

Reference: FDA 21 CFR Part 11 Guidance

State Laws

Some state laws may impose additional retention requirements. Mosio's 6-year minimum retention period is designed to satisfy federal requirements; clients should consult legal counsel regarding specific state obligations.

Regulatory Context

Mosio serves as a Business Associate under HIPAA and maintains systems that may be subject to FDA inspection for clients conducting regulated research. Our retention policies reflect:

For FDA-Regulated Clients:

• Legal Requirement: Federal regulations mandate retention of electronic records used in clinical trials and FDA-regulated studies
• Compliance Support: Our 6-year retention ensures data availability for regulatory inspections and audit trail requirements under 21 CFR Part 11

For HIPAA-Only Clients:

• Business Practice: While HIPAA does not mandate retention of messaging data itself, we maintain encrypted backups for 6 years to support potential audits, legal discovery, and data integrity verification
• Technical Limitation: Our backup architecture (full encrypted database snapshots) does not permit selective deletion of individual records
• Industry Alignment: This practice aligns with healthcare industry standards and ensures we can support your compliance needs if questions arise

All Clients: Across all use cases, our retention policies maintain data integrity and audit trail capabilities while providing reasonable data lifecycle management and protecting participant privacy. These practices ensure we can support client compliance obligations during regulatory inspections and meet the technical and legal requirements specific to healthcare technology platforms.

Data Security During Retention

Throughout the retention period, Mosio maintains appropriate safeguards in compliance with HIPAA's Security Rule (Subpart C of 45 CFR Part 164) to protect electronic protected health information (ePHI):

• Encryption: All backup data is encrypted at rest
• Access Controls: Strict role-based access limitations
• Audit Trails: Comprehensive logging of data access and system activities
• Use Limitations: Backup data is not used or disclosed except as permitted by law

Deletion Requests

Production Data

Upon client request, Mosio can remove participant data from active production systems.

Backup Data

Due to the technical architecture of our backup system (full encrypted database snapshots), individual participant records cannot be selectively deleted from backups. All backup data is subject to the 6-year minimum retention period, after which backups are securely destroyed according to our data disposal procedures.

This approach ensures:

• Compliance with healthcare regulations requiring data retention
• Data integrity for regulatory audits and legal requirements
• Protection against unauthorized modification of historical records

Regulatory Context

Mosio serves as a Business Associate under HIPAA and maintains systems that may be subject to FDA inspection for clients conducting regulated research. Our retention policies are designed to:

1. Meet federal regulatory requirements for both HIPAA and FDA-regulated activities
2. Maintain data integrity and audit trail requirements under 21 CFR Part 11
3. Support client compliance obligations during regulatory inspections
4. Provide reasonable data lifecycle management while protecting participant privacy