HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Do You Have a HIPAA Email Retention Policy?

The Health Insurance Portability and Accountability Act (HIPAA) does not specifically mention email archiving and email backups, but it is still strongly advisable to develop and implement a HIPAA email retention policy.

HIPAA requires all PHI to be backed up to ensure data is always available, even when disaster strikes. The Administrative Safeguards (§ 164.308(a)(7)) require covered entities to establish and implement policies and procedures to ensure ePHI is always available when it is needed. Under the required, data backup plan provision, it is necessary to “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”

Guidance issued by the HHS states the data backup plan should include “all important sources of data such as patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used.” Since many covered entities store protected health information in emails, they too must be backed up to ensure they can be retrieved.

An email backup can be used to restore entire mailboxes in the event of disaster, but an email archive is also useful. An email archive is searchable, so it can be used to restore individual messages on demand. Both are important for data loss prevention. In the event of disaster, such as a ransomware attack where email has been encrypted or backups, an email archive will provide an additional layer of protection to ensure data is not permanently lost.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

HIPAA Data Retention Requirements

There is a data retention requirement in HIPAA. HIPAA documentation must be retained for a period of six years from the data of creation or the last time the documentation was in effect, whichever is the later. HIPAA does not specifically mention data stored in email accounts, but documentation that must be retained may be present in the email system. Emails may also be sent containing PHI, which may need to be produced in the event of an audit to demonstrate compliance.

Developing a HIPAA email retention policy that includes securely archiving all emails containing PHI will ensure that in the event of an audit, dispute with a patient, or litigation, all relevant sent and received emails can quickly and easily be retrieved.

An email archive is also important for complying with state data retention requirements, which can require a much broader range of data to be retained, and for longer than is required by HIPAA. An email archive can also help with compliance with the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).

Phishing is the leading cause of data breaches in healthcare. When unauthorized individuals gain access to healthcare email accounts, all PHI stored in those accounts can be accessed. It is not unusual for compromised email accounts to contain tens of thousands of patients’ PHI. Implementing an email retention policy that requires emails to be moved to a secure archive will reduce the harm caused in the event of an email account compromise incident. The smaller the breach, the lower the cost of remediation.

ArcTitan: A HIPAA Compliant Email Archiving Solution for Healthcare Organizations

TitanHQ provides an email archiving service for healthcare organizations that helps them meet their data retention obligations under HIPAA while meeting all Security Rule requirements for data storage. Emails are protected with end-to-end encryption, access controls can be set to limited access to emails in the archive, all archived emails are tamper-proof, and the email archive includes full email audit functionality. TitanHQ will also sign a business associate agreement with covered entities and meets all business associate HIPAA requirements.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.