While email retention is not specifically mentioned in the HIPAA text, certain provisions cover data retention and backup, which apply to protected health information and HIPAA documentation, regardless of where that information is stored, including email accounts. Healthcare organizations that do not have a HIPAA email retention policy are potentially at risk of noncompliance.
Why is a HIPAA Email Retention Policy Important?
HIPAA requires covered entities and their business associates to retain all documents related to security, privacy policies and procedures, and PHI for a period of at least six years from the date of creation or the date when it was last in effect, whichever is later.
Typically for most covered entities, the documentation that must be retained includes:
- Information security policies and practices
- Risk analyses
- Notices of privacy practices
- Patient authorizations
- Business associate agreements
- Access logs
- IT security reviews and other IT security-related documents
- Employee sanction policies
- Breach notifications
- Complaint and resolution documents
- Training documents
- Patient requests
- Policies and procedural documentation.
Covered entities and business associates must also ensure documentation and PHI is backed up and that a retrievable, exact copy of electronic protected health information exists.
A HIPAA email retention policy should be developed that requires all the above documentation to be retained for 6 years or more to meet HIPAA requirements. An email archive can also help satisfy HIPAA backup requirements, meet state documentation and PHI retention laws, and an email archive is also incredibly valuable when dealing with complaints and for e-discovery.
HIPAA Compliant Email Archiving
It is strongly recommended that you develop a HIPAA email retention policy and implement an email archiving solution with a HIPAA compliant email archiving company.
A HIPAA compliant email archiving solution, such as ArcTitan, is the ideal solution for healthcare organizations to help them meet state and federal data retention requirements. The solution can be used to store business-related emails which must be retained to comply with state laws, but it will also ensure that any PHI contained in emails is stored securely in compliance with the HIPAA Security Rule.
A HIPAA compliant email archive captures and retains all emails that are sent or received, the archive is searchable to allow quick retrieval of email data when required, email data is preserved in its original format and is tamper-proof, audit logs are maintained, and controls can be implemented to restrict access to authorized individuals only.
The email archive also serves as a data loss prevention tool and safeguards the confidentiality, integrity, and availability of PHI and HIPAA documents sent via email.