Email Archiving Legal Compliance

Email archiving legal compliance is concerned with preserving email data in accordance with federal, state, and industry regulations, implementing safeguards to ensure the confidentiality and integrity of email data, and ensuring email data is always available when it is required.

Email Archiving Legal Compliance in Healthcare

The email archiving legal compliance requirements can vary considerably from state to state and your business activities, so it is essential to seek legal advice on email archiving and data retention requirements.

The key regulations concerning email archiving in the healthcare industry are the Federal Rules of Civil Disclosure, the Health Insurance Portability and Accountability Act (HIPAA), Food and Drug Administration (FDA) regulations, Internal Revenue Service (IRS) regulations, and the Sarbanes Oxley Act (SOX) if your organization is traded publicly.

Each set of regulations has different data retention requirements for certain types of email data. States also set their own laws and minimum data retention periods for email. Generally speaking, email must be retained for as long as it is needed, and the statute of limitations has passed. For most data retention regulations that is between 3 and 7 years. In some cases, email data must be kept indefinitely.

The penalties for failing to retain email data can be severe. Multi-million-dollar financial penalties have been imposed on organizations and businesses that have failed to retain email data. Most eDiscovery requests require email data to be supplied. If you are unable to provide email data when ordered to do so by the courts, the consequences can be catastrophic.

HIPAA Data Retention Requirements

HIPAA data retention requirements are mostly concerned with documentation related to HIPAA compliance rather than medical records, as the latter is governed by state laws. State laws covering medical record retention periods range from 3 years to 11 years.

HIPAA requires compliance documentation to be retained for a minimum of 6 years from the date of creation or the date when the documentation was last effective, whichever comes later. HIPAA data retention requirements cover records designating an organization as a covered entity/business associate, security and privacy policies and practices, HIPAA authorizations, HIPAA assessments, data use agreements, limited data sets, notices of privacy practices, accounting of disclosures, and other HIPAA compliance documentation.

HIPAA does not call for email data to be retained in an archive and does not stipulate the format that must be used for storing emails. That is left to the discretion of HIPAA covered entities and business associates. All electronic forms of data that contain electronic protected health information (ePHI) must be safeguarded in accordance with the requirements of the HIPAA Security Rule. That means administrative, physical, and technical safeguards must be implemented to ensure the confidentiality, integrity, and availability of data and an audit trail must be maintained. When the retention period is over, all ePHI must be securely and permanently destroyed.

Email Archiving Options

There are several options available for email archiving that will allow you to meet your email archiving legal compliance responsibilities. While it is possible to set up an email archiving solution yourself, it can be a time consuming and complicated process. The easiest solution is to use email archiving software or an email archiving service.

An on-premise email archiving appliance or virtual appliance can be used for archiving email for long-term storage. This option has the advantage of keeping all email data on site and many IT professionals will feel more comfortable with this option rather than sending data to the cloud. Disadvantages of appliances include limited storage space, the initial high cost to purchase appliances, the need to update and maintain the hardware.

Cloud based archiving is now a popular choice due to the ease of implementation and the initial low cost of setting up the archive. Cloud-based archives require no hardware purchases and there are no ongoing maintenance requirements. The scalability of the cloud means that storage space will never be an issue. Cloud-based archiving is often the best and most effective choice for small to medium sized covered entities. Larger organizations are more likely to have the IT resources to handle archiving in house, and the IT infrastructure to support on-premise archiving.

While keeping data on your own hardware may be attractive in terms of security, cloud security can be just as robust and even greater. Many companies offer email archiving as a service and will provide SLAs guaranteeing uptime to ensure availability and offer bulletproof security.

You should evaluate all options available to make sure they meet email archiving legal compliance requirements, assess the cost and ease of use of each solution, conduct a risk assessment, and choose the option which provides the necessary level of security and best meets the needs of your organization.