Best Practices for Creating an Email Archiving Policy
Applying best practices for creating an email archiving policy enable businesses to create a formal email archiving policy that establishes how long emails should be retained before being permanently and securely deleted to ensure compliance with federal, state, and industry regulations. Emails are considered to be just as important as written documents, and regulators and the courts do not take kindly to poor email retention practices and emails that cannot be produced when requested.
Read about email retention requirements in our recent HIPAA compliant email retention solution review.
If you are requested to provide emails by regulators such as the HHS’ Office for Civil Rights for an audit or compliance investigation, you receive an eDiscovery request, or there is a legal issue, the consequences of not being able to produce emails can be severe. Financial penalties may be imposed, and your organization’s reputation can be damaged.
By formalizing an email archiving policy and automating the policy using an email archiving solution, you will be able to eliminate the potential for human error and will always be able to produce email correspondence and email attachments as required.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Minimum Email Retention Periods
HIPAA-covered entities are required to retain certain documentation. While email is not specifically mentioned in regard to data retention, the rules do apply to any HIPAA policy or procedure documentation stored in email accounts. You may also need to produce copies of email containing PHI for investigations to demonstrate compliance and when there are legal disputes.
The HIPAA retention requirements outlined in CFR §164.316(b)(2)(i) state that policies and procedures related to HIPAA compliance must be retained for a minimum of 6 years from the date of creation or the date when the policy was last in effect. Additionally, each state has its own retention requirements for medical records which – in some cases – pre-empt HIPAA.
Additional regulations that have email data retention requirements are detailed below:
- Pharmaceutical firms and manufacturers of biological products are required to comply with FDA – Title 21, Part 11, which has variable data retention requirements ranging from 5 to 35 years.
- All public companies are required to comply with the requirements of the Sarbanes Oxley (SOX) Act, which calls for covered data to be retained for 7 years.
- If you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) there is a minimum data retention period of 1 year.
- Federal, state, and local government agencies must retain email data under FOIA for 3 years
- IRS regulations require all companies to retain tax-related data for a period of 7 years.
Email Retention Best Practices
Prior to creating an email retention policy, there are a few email retention best practices businesses should adopt. Possibly the most important one is to determine which state and federal regulations the business has to comply with and what regulatory minimum retention periods apply in each case. It is also necessary to be aware of regulations that require data to be deleted as soon as it has served the purpose for which it was collected.
When minimum and maximum retention periods have been established for each email type, businesses should implement a tagging system that identifies each type of email by tag. This makes it easier to apply an email archiving policy to each email type and – when used with an automated deletion system such as Microsoft Retention Tags – delete archived emails when they reach the expiry date stipulated by each policy.
Creating an Email Archiving Policy
When creating your email archiving policy, it is important to work closely with your finance, HR, IT, and legal teams to ensure that you meet all of your retention obligations and factor these into your retention policies.
The retention periods for different types of data can vary considerably and are covered by several different regulations. There are different data retention periods set at the federal, state, and local level for certain data types, as well as industry specific regulations such as HIPAA. These must all be factored into your email archiving policy and fully checked by your legal team.
The first step to take when creating an email archiving policy is to determine the minimum data retention periods for different types of data. While it is easier to apply a minimum data retention period covering all data types, by applying data retention policies by data type, you will be able to limit your data storage costs and minimize liability. It is a good best practice to only retain data for the minimum data retention period.
If you set your policy based on data type, you could, for example, have a retention period of 7 years for all financial correspondence, 6 years for all administrative correspondence, and 3 years for all patient correspondence. You may find it easier when creating and implementing an email archiving policy to set your retention periods by department. To meet IRS requirements you could set a 7-year email retention period for emails from the finance department, but only have a minimal 3-year requirement for IT department emails. A combination of both approaches may suit your organization better.
Once your formal email retention policy has been created it must be signed off by your legal department and then communicated to all users. The best approach to take to ensure the policy is adhered to is to automate email retention as far as possible. This is easily achieved using an email archiving solution.
An email archiving solution can be used to automatically capture all sent and received emails, apply your policies, and send those emails to the archive. Many email archiving solutions can categorize emails and apply the appropriate policy and retention period, then automatically delete those emails when the retention period ends. You should also ensure that you put restrictions in place to prevent users from creating and saving .pst files to retain email data.
Finally, you should ensure that all users are trained how to use the archive and retrieve old emails to ease the burden on your IT department. Most email archiving solutions integrate with mail clients to make accessing the email archive an easy process.
FAQs
Do I need an email archive If I perform daily backups?
You will still benefit from an email archive if you perform daily backups if you ever need to recover an email. It can be an incredibly time-consuming process to recover the email from a backup as backups are not searchable. Before being sent to the archive, emails are indexed, and duplicate content is removed. Searches can be performed, and emails can be recovered in seconds. That is not possible with a backup. Backups are for short-term email storage for disaster recovery.
Are there any hidden costs with cloud-based email archiving?
There can be hidden costs with cloud-based email archiving if you are charged by the total number of mailboxes rather than the number of active mailboxes. It may also be the case you are limited on how much storage space your archives emails can occupy – after which, per MB charges may apply.
When researching email archiving solutions, opt for solutions that only charge for active mailboxes and that deduplicate content from conversations when emails are archived to limit how much space each email occupies. Also, if storage limits exist, ensure there is a way you can be alerted when you are approaching a storage limit.
How can an email archive help with GDPR compliance?
An email archive can help with GDPR compliance because, under GDPR, individuals have the right to access personal data held by a company, which includes personal data stored in emails. If your company receives a GDPR access request, an email archive will help you quickly find and recover all relevant emails. The time limit with the GDPR is 30 days. It may not be possible to meet that deadline if emails are stored in backups.
Are all email archiving solutions HIPAA-compliant?
Not all email archiving solutions are HIPAA-compliant because some lack the capabilities to control user access, protect ePHI with end-to-end encryption, and preserve the integrity of email data. It is also necessary for the vendor of the solution to enter into a Business Associate Agreement.
Additionally, it is important to be aware HIPAA compliance is not determined by the capabilities of any software solution. HIPAA compliance is determined by how the solution is configured and used.
Do email archives need to be encrypted to comply with HIPAA?
Email archives do not need to be encrypted to comply with HIPAA, provided an equivalent level of protection is provided. For example, if emails containing PHI are stored locally and are protected by access controls and sit behind a firewall, encryption is not mandatory. If emails are sent to a cloud archive, end-to-end encryption is required.
What are 3 email archiving best practices?
Email archiving best practices can differ between organizations due to the sensitivity of data maintained in emails. However, 3 email archiving best practices for most organizations is to archive emails as they pass through the mail server, automatically de-duplicate content to reduce storage needs, and ensure appropriate controls are enforced to prevent unauthorized access.
Is it okay to re-use a third party’s email retention policy as an email retention policy template?
Re-using a third party´s email retention policy as an email retention policy template will be suitable for some organizations, but not all. This is because the third party´s email retention policy may be developed for an organization operating in a state or industry with different retention requirements than your own. Therefore, it is advisable to develop your own retention policies.
Why is email archiving important?
Email archiving is important for several reasons. Archiving preserves emails in their original format to meet legal and compliance requirements, simplifies the recovery of accidentally deleted or lost emails, frees space on the mail server, mitigates the risk of data theft, and enables organizations to respond quickly and efficiently to information requests.
Which is the best email archiving solution?
The best email archiving solution will be different for different types of business and the skill sets within those businesses. For example, for a small business with limited IT skills, the best email archiving solution will be the one which is easiest to use. However, ease of use may not be high on the list of priorities for an enterprise with complex requirements and a depth of IT talent.
Are 3rd party email archiving solutions better than solutions built into an existing plan?
3rd party email archiving solutions can be better than solutions built into an existing plan because the archiving capabilities of some plans can be limited or fail to support effective archive management (i.e., due to a lack of rules-based automatic retention policies). In such circumstances it can be more cost effective to subscribe to a 3rd party email archiving solution than upgrade to a more comprehensive plan that includes capabilities (other than email archiving) you may never use.
