Best Practices for Creating an Email Archiving Policy
It is important to create a formal email archiving policy that establishes how long emails should be retained before being permanently and securely deleted to ensure compliance with federal, state, and industry regulations. Emails are considered to be just as important as written documents and regulators and the courts do not take kindly to poor email retention practices and emails that cannot be produced when requested.
If you are requested to provide emails by regulators such as the HHS’ Office for Civil Rights for an audit or compliance investigation, you receive an eDiscovery request, or there is a legal issue, the consequences of not being able to produce emails can be severe. Financial penalties may be imposed, and your organization’s reputation can be damaged.
By formalizing an email archiving policy and automating that policy using an email archiving solution you will be able to eliminate the potential for human error and will always be able to produce email correspondence and email attachments on request and reduce your legal liability.
Minimum Email Retention Periods
HIPAA-covered entities are required to retain certain documentation and while email is not specifically mentioned in regard to data retention, the rules do apply to data stored in email accounts. You may also need to produce copies of email containing PHI for investigations to demonstrate compliance and when there are legal disputes.
The HIPAA retention requirements outlined in CFR §164.316(b)(2)(i) state that policies and procedures related to HIPAA compliance must be retained for a minimum of 6 years from the date of creation or the date when the policy was last in effect.
Additional regulations that have email data retention requirements are detailed below:
- Pharmaceutical firms and manufacturers of biological products are required to comply with FDA – Title 21, Part 11, which has variable data retention requirements ranging from 5 to 35 years.
- All public companies are required to comply with the requirements of the Sarbanes Oxley (SOX) Act, which calls for covered data to be retained for 7 years.
- If you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) there is a minimum data retention period of 1 year.
- Federal, state, and local government agencies must retain email data under FOIA for 3 years
- IRS regulations require all companies to retain tax-related data for a period of 7 years.
Creating an Email Archiving Policy
When creating your email archiving policy, it is important to work closely with your finance, HR, IT, and legal teams to ensure that you meet all of your retention obligations and factor these into your retention policies.
The retention periods for different types of data can vary considerably and are covered by several different regulations. There are different data retention periods set at the federal, state, and local level for certain data types, as well as industry specific regulations such as HIPAA. These must all be factored into your email archiving policy and fully checked by your legal team.
The first step to take when creating an email archiving policy is to determine the minimum data retention periods for different types of data. While it is easier to apply a minimum data retention period covering all data types, by applying data retention policies by data type, you will be able to limit your data storage costs and minimize liability. It is a good best practice to only retain data for the minimum data retention period.
If you set your policy based on data type, you could, for example, have a retention period of 7 years for all financial correspondence, 6 years for all administrative correspondence, and 3 years for all patient correspondence. You may find it easier when creating and implementing an email archiving policy to set your retention periods by department. To meet IRS requirements you could set a 7-year email retention period for emails from the finance department, but only have a minimal 3-year requirement for IT department emails. A combination of both approaches may suit your organization better.
Once your formal email retention policy has been created it must be signed off by your legal department and then communicated to all users. The best approach to take to ensure the policy is adhered to is to automate email retention as far as possible. This is easily achieved using an email archiving solution.
An email archiving solution can be used to automatically capture all sent and received emails, apply your policies, and send those emails to the archive. Many email archiving solutions can categorize emails and apply the appropriate policy and retention period, then automatically delete those emails when the retention period ends. You should also ensure that you put restrictions in place to prevent users from creating and saving .pst files to retain email data.
Finally, you should ensure that all users are trained how to use the archive and retrieve old emails to ease the burden on your IT department. Most email archiving solutions integrate with mail clients to make accessing the email archive an easy process.
Do I need an email archive If I perform daily backups?
If you ever need to recover an email, it can be an incredibly time-consuming process to recover the email from a backup as backups are not searchable. Before being sent to the archive, emails are indexed, and duplicate content is removed. Searches can be performed, and emails can be recovered in seconds. That is not possible with a backup. Backups are for short-term email storage for disaster recovery.
Are there any hidden costs with cloud-based email archiving?
When researching email archiving solutions check whether you are charged for the total number of mailboxes or active mailboxes. The latter is preferable, especially if you have a high staff turnover. Be sure to check storage limits. Some solution providers do not place limits on email storage, others have restrictions, and the cost may increase considerably if the limit is reached.
How can an email archive help with GDPR compliance?
GDPR, and other privacy regulations, give individuals the right to access their personal data held by a company, which includes personal data stored in emails. If you get a request under the right of access, an email archive will help you quickly find and recover all relevant emails. The time limit with the GDPR is 30 days. It may not be possible to meet that deadline if emails are stored in backups.
Are all email archiving solutions HIPAA-compliant?
No. You must enter into a business associate agreement with an email archiving solution provider, and some providers are not prepared to sign a BAA. As a business associate, the solution must meet the requirements of the HIPAA Security Rule and have access controls, protect ePHI at rest and in transit, and preserve the integrity of email data. Some archiving solutions do not have the appropriate controls.
Do email archives need to be encrypted to comply with HIPAA?
Email archives do not need to be encrypted, provided an equivalent level of protection is provided. For example, if emails containing PHI are stored locally and are protected by access controls and sit behind a firewall, encryption is not mandatory. If emails are sent to a cloud archive, end-to-end encryption is required.