Best Practices for Creating an Email Archiving Policy
It is important to create a formal email archiving policy that establishes how long emails should be retained before being permanently and securely deleted to ensure compliance with federal, state, and industry regulations. Emails are considered to be just as important as written documents and regulators and the courts do not take kindly to poor email retention practices and emails that cannot be produced when requested.
If you are requested to provide emails by regulators such as the HHS’ Office for Civil Rights for an audit or compliance investigation, you receive an eDiscovery request, or there is a legal issue, the consequences of not being able to produce emails can be severe. Financial penalties may be imposed, and your organization’s reputation can be damaged.
By formalizing an email archiving policy and automating that policy using an email archiving solution you will be able to eliminate the potential for human error and will always be able to produce email correspondence and email attachments on request and reduce your legal liability.
Minimum Email Retention Periods
HIPAA-covered entities are required to retain certain documentation and while email is not specifically mentioned in regard to data retention, the rules do apply to data stored in email accounts. You may also need to produce copies of email containing PHI for investigations to demonstrate compliance and when there are legal disputes.
The HIPAA retention requirements outlined in CFR §164.316(b)(2)(i) state that policies and procedures related to HIPAA compliance must be retained for a minimum of 6 years from the date of creation or the date when the policy was last in effect.
Additional regulations that have email data retention requirements are detailed below:
- Pharmaceutical firms and manufacturers of biological products are required to comply with FDA – Title 21, Part 11, which has variable data retention requirements ranging from 5 to 35 years.
- All public companies are required to comply with the requirements of the Sarbanes Oxley (SOX) Act, which calls for covered data to be retained for 7 years.
- If you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) there is a minimum data retention period of 1 year.
- Federal, state, and local government agencies must retain email data under FOIA for 3 years
- IRS regulations require all companies to retain tax-related data for a period of 7 years.
Creating an Email Archiving Policy
When creating your email archiving policy, it is important to work closely with your finance, HR, IT, and legal teams to ensure that you meet all of your retention obligations and factor these into your retention policies.
The retention periods for different types of data can vary considerably and are covered by several different regulations. There are different data retention periods set at the federal, state, and local level for certain data types, as well as industry specific regulations such as HIPAA. These must all be factored into your email archiving policy and fully checked by your legal team.
The first step to take when creating an email archiving policy is to determine the minimum data retention periods for different types of data. While it is easier to apply a minimum data retention period covering all data types, by applying data retention policies by data type, you will be able to limit your data storage costs and minimize liability. It is a good best practice to only retain data for the minimum data retention period.
If you set your policy based on data type, you could, for example, have a retention period of 7 years for all financial correspondence, 6 years for all administrative correspondence, and 3 years for all patient correspondence. You may find it easier when creating and implementing an email archiving policy to set your retention periods by department. To meet IRS requirements you could set a 7-year email retention period for emails from the finance department, but only have a minimal 3-year requirement for IT department emails. A combination of both approaches may suit your organization better.
Once your formal email retention policy has been created it must be signed off by your legal department and then communicated to all users. The best approach to take to ensure the policy is adhered to is to automate email retention as far as possible. This is easily achieved using an email archiving solution.
An email archiving solution can be used to automatically capture all sent and received emails, apply your policies, and send those emails to the archive. Many email archiving solutions can categorize emails and apply the appropriate policy and retention period, then automatically delete those emails when the retention period ends. You should also ensure that you put restrictions in place to prevent users from creating and saving .pst files to retain email data.
Finally, you should ensure that all users are trained how to use the archive and retrieve old emails to ease the burden on your IT department. Most email archiving solutions integrate with mail clients to make accessing the email archive an easy process.