Do You Have a HIPAA Email Retention Policy?

Share this article on:

The Health Insurance Portability and Accountability Act (HIPAA) does not specifically mention email archiving and email backups, but it is still strongly advisable to develop and implement a HIPAA email retention policy.

HIPAA requires all PHI to be backed up to ensure data is always available, even when disaster strikes. The Administrative Safeguards (§ 164.308(a)(7)) require covered entities to establish and implement policies and procedures to ensure ePHI is always available when it is needed. Under the required, data backup plan provision, it is necessary to “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”

Guidance issued by the HHS states the data backup plan should include “all important sources of data such as patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used.” Since many covered entities store protected health information in emails, they too must be backed up to ensure they can be retrieved.

An email backup can be used to restore entire mailboxes in the event of disaster, but an email archive is also useful. An email archive is searchable, so it can be used to restore individual messages on demand. Both are important for data loss prevention. In the event of disaster, such as a ransomware attack where email has been encrypted or backups, an email archive will provide an additional layer of protection to ensure data is not permanently lost.

HIPAA Data Retention Requirements

There is a data retention requirement in HIPAA. HIPAA documentation must be retained for a period of six years from the data of creation or the last time the documentation was in effect, whichever is the later. HIPAA does not specifically mention data stored in email accounts, but documentation that must be retained may be present in the email system. Emails may also be sent containing PHI, which may need to be produced in the event of an audit to demonstrate compliance.

Developing a HIPAA email retention policy that includes securely archiving all emails containing PHI will ensure that in the event of an audit, dispute with a patient, or litigation, all relevant sent and received emails can quickly and easily be retrieved.

An email archive is also important for complying with state data retention requirements, which can require a much broader range of data to be retained, and for longer than is required by HIPAA. An email archive can also help with compliance with the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).

Phishing is the leading cause of data breaches in healthcare. When unauthorized individuals gain access to healthcare email accounts, all PHI stored in those accounts can be accessed. It is not unusual for compromised email accounts to contain tens of thousands of patients’ PHI. Implementing an email retention policy that requires emails to be moved to a secure archive will reduce the harm caused in the event of an email account compromise incident. The smaller the breach, the lower the cost of remediation.

ArcTitan: A HIPAA Compliant Email Archiving Solution for Healthcare Organizations

TitanHQ provides an email archiving service for healthcare organizations that helps them meet their data retention obligations under HIPAA while meeting all Security Rule requirements for data storage. Emails are protected with end-to-end encryption, access controls can be set to limited access to emails in the archive, all archived emails are tamper-proof, and the email archive includes full email audit functionality. TitanHQ will also sign a business associate agreement with covered entities and meets all business associate HIPAA requirements.

Author: HIPAA Journal

Share This Post On