Healthcare institution: HR file versus patient file
A healthcare institution manages two large types of archive that can look similar on the outside but differ fundamentally in law. Patient files fall under the WGBO with a retention period of twenty years. HR files fall under a combination of employment law, tax retention duty and the GDPR, with a period varying from two to seven years per document type. The legal basis differs, the risk profile differs, and physical or digital storage should be strictly separated. This article shows how to design that separation in practice.
Two archives, two regimes
Patient files: special categories of GDPR art. 9, legal basis the performance of the treatment agreement (WGBO), retention period twenty years from last contact. Access limited to treating clinicians and care staff directly involved in treatment. Breaches of confidentiality only on compelling grounds.
HR files: ordinary personal data with sometimes special elements (occupational health file), legal basis performance of the employment contract and statutory obligation, retention periods differentiated per document type. Access limited to HR, manager and directly involved staff.
Extensive WGBO context is in our article WGBO 20 years for patient files.
Retention periods at a glance
Patient file
- Main file: twenty years from last contact (WGBO art. 7:454 BW).
- For minors: twenty years from the 18th birthday.
- Imaging material (X-ray, ultrasound, MRI): travels with the file.
- Admission files, nursing reports, medication lists: part of the main file.
HR file
- Payroll administration: seven-year tax retention from end of financial year.
- Employment contract: up to seven years after end of employment.
- Copy of ID: as a rule maximum two years after end of employment.
- Application data of rejected candidates: four weeks, with consent up to one year.
- BIG registration and professional diplomas: as long as the employee is in role plus a reasonable period for liability claims.
- Occupational health file: after end of employment often kept briefly, depending on liability.
Why entanglement is risky
In smaller healthcare practices (GP, dentist, physio, GZ psychologist) HR administration is sometimes a side role of the practice holder. The temptation is then strong to keep staff employment contracts in the same row of folders as patient files. Risks:
- A care worker looking up a patient accidentally gains insight into a colleague's employment data.
- A patient with the right to a copy asks for "the whole file" and an employment contract is included.
- On takeover or split of the practice it becomes unclear what belongs where.
- On destruction after twenty years personnel documents still under the seven-year period are accidentally swept up.
Entanglement of HR and patient files is one of the silent structural faults in care archives. It only comes to light at an audit, a data breach or a takeover.
Confidentiality duty and professional secrecy
The professional secrecy of healthcare providers (art. 7:457 BW, disciplinary law) applies to patient information and stands separately from the GDPR. The confidentiality duty for HR information rests on the employer and the staff involved on the basis of the employment relationship. When you keep both kinds in the same archive, the chance is real that an event affecting professional secrecy also exposes HR information.
Physical and digital separation
Three practical rules:
- Physical. Patient files in a separate cabinet or room. HR files in another cabinet or in a safe in the office. Keys and access regulated differently.
- Digital. Patient files in the healthcare information system (for example HIS, dental software, fysiomanager). HR files in an HR tool or restricted folder. No overlap in access.
- Transport. On physical movement (relocation, renovation, destruction) the separation stays intact. A separate box, a separate container, a separate batch.
See also our GDPR retention periods cheatsheet for a quick overview per document type.
Destruction routines
Because the periods differ, so do the rhythms. Patient files are usually destroyed in annual or biennial cohorts based on "last contact plus twenty years". HR files are cleared annually in two streams: copy of ID two years out of employment, payroll and contract after seven years. Always keep these streams separated during destruction, if only to be able to archive the destruction certificate per category.
Mobile destruction on site
Given the sensitivity of both file types, mobile destruction at the care location is the quietest path. The destruction truck arrives at the institution, two batches are processed separately at DIN 66399 P-5, two certificates are handed over, nothing leaves the building intact. Especially for healthcare institutions with multiple locations this works well: scheduled per site, with the certainty that professional secrecy is not put at risk in transit.
Separate and clear out the archive?
We come to the care location and destroy HR and patient archives separately. Two certificates, handed over on the spot.
Request a quoteIn summary
- Patient file: twenty years, GDPR art. 9 special category.
- HR file: period-differentiated, two to seven years.
- Store physically and digitally separately and restrict access.
- Destroy per stream, document per stream, archive certificates separately.
- Mobile destruction on site prevents professional secrecy being lost in transit.
More sector-specific information is on our page for healthcare providers and practices.