Do You Have a HIPAA Email Retention Policy?
A HIPAA email retention policy can be an important factor in an organization’s compliance efforts if documents that need to be kept to comply with HIPAA’s retention requirements – or emails regarding health conditions, treatment, and payments – are stored in email accounts. If such a policy is implemented, it is also important that emails are regularly backed up or securely archived.
HIPAA requires all PHI to be backed up to ensure data is always available, even when disaster strikes. The Administrative Safeguards (§ 164.308(a)(7)) require covered entities to establish and implement policies and procedures to ensure ePHI is always available when it is needed. Under the required, data backup plan provision, it is necessary to “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
Guidance issued by the HHS states the data backup plan should include “all important sources of data such as patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used.” Since many covered entities store protected health information in emails, they too must be backed up to ensure they can be retrieved.
An email backup can be used to restore entire mailboxes in the event of disaster, but an email archive is also useful. An email archive is searchable, so it can be used to restore individual messages on demand. Both are important for data loss prevention. In the event of disaster, such as a ransomware attack where email has been encrypted or backups, an email archive will provide an additional layer of protection to ensure data is not permanently lost.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Data Retention Requirements
There is a data retention requirement in HIPAA. HIPAA documentation must be retained for a period of six years from the data of creation or the last time the documentation was in effect, whichever is the later. HIPAA does not specifically mention data stored in email accounts, but documentation that must be retained may be present in the email system. Emails may also be sent containing PHI, which may need to be produced in the event of an audit to demonstrate compliance.
Developing a HIPAA email retention policy that includes securely archiving all emails containing PHI will ensure that in the event of an audit, dispute with a patient, or litigation, all relevant sent and received emails can quickly and easily be retrieved.
An email archive is also important for complying with state data retention requirements, which can require a much broader range of data to be retained, and for longer than is required by HIPAA. An email archive can also help with compliance with the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).
Phishing is the leading cause of data breaches in healthcare. When unauthorized individuals gain access to healthcare email accounts, all PHI stored in those accounts can be accessed. It is not unusual for compromised email accounts to contain tens of thousands of patients’ PHI. Implementing an email retention policy that requires emails to be moved to a secure archive will reduce the harm caused in the event of an email account compromise incident. The smaller the breach, the lower the cost of remediation.
