The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Retention Requirements Explained

Posted By on Dec 5, 2023

The email retention requirements are that, beyond federal or industry-specific requirements, every business should maintain records they may rely on in a civil dispute for as long as required – “as long as required” usually determined by each state´s Statute of Limitations.

If you are a HIPAA Covered Entity read our recent HIPAA compliant email retention solution review.

Explaining email retention requirements by focusing on federal laws is fraught with potential hazards as requirements can vary according to the nature of the content of the email. For example, many sources discussing IRS email retention requirements state businesses should have an email retention policy to keep tax-related records for up to seven years.

However, according to the IRS website, most businesses only need to keep documents for up to seven years if they relate to a claim for a loss from a worthless securities or bad debt deduction. Most other records only have to be retained for three years unless they relate to a property (three years after the property is disposed of) or if the business has filed a fraudulent return (indefinitely).

HIPAA Compliant
Patient Communication
Software

Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity

Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems

Your Privacy Respected

HIPAA Journal Privacy Policy

Similarly, many sources discussing SOX email retention requirements quote an email retention period of seven years – when many documents need only be retained for three or five years, while there is an indefinite retention period for emails relating to documents such as executive policies and resolutions, employment and termination agreements, and insurance policies.

The Issues with Retaining Too Many Emails

While businesses could choose the “safe” option of retaining every – for example – tax-related email for seven years, the cost of data storage and the overhead of securing, managing, and recovering data when required will prove unnecessarily expensive – notwithstanding that retaining too many emails for too long could also be violating other federal laws.

In 2021, changes to the Gramm-Leach-Bliley (GLB) Act mean that businesses covered by the Act are now required to implement measures for “the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates”.

However, §314.4 of the Safeguards Rule permits businesses to retain emails if the content “is necessary for business operations or for other legitimate business purposes, [or] is otherwise required to be retained by law or regulation” – enabling financial institutions covered by GLB to comply with the FDIC email retention laws for banks and credit card companies.

What complicates email retention policies for businesses is they may not only have to comply with IRS, SOX, GLB, and/or FDIC email retention laws, but also FDA, HHS, SEC, and/or PCI DSS email retention requirements which range in length from one year to indefinitely. Email retention policies for businesses are further complicated by state laws and the Federal Rules of Civil Procedure.

State Laws and the Federal Rules of Civil Procedure

The reason why state laws complicate email retention policies for businesses is that each state has its own Statute of Limitations for civil claims – most having multiple Statutes of Limitations depending on the nature of an injury, how it was caused, whether a contract was oral or written, and whether the injury was attributable to a motor vehicle accident.

Most states also have varying Statutes of Limitations for felonies – which can include financial felonies such as fraud, misrepresentation, or obtaining money under false pretenses – and while many states limit the time period for such crimes, some have an indefinite Statute of Limitations for all felonies, which means documents relating to these crimes must also be kept indefinitely.

The reason for including the Federal Rules of Civil Procedure in this explanation of email retention requirements in the United States is that, when a civil claim is initiated, parties must make the initial disclosure within fourteen days if they are involved at the start of proceedings, or within thirty days if they join the action or are served as the claim develops.

A lot of corporate data is saved on email; and, having to find and produce evidence in support of – or in defense of – a claim can be challenging within fourteen days if the evidence exists in an email, and the email is included in a backed-up database consisting of years of unindexed emails that have been stored in order to comply with varying email retention requirements.

How to Resolve the Challenge of Multiple Email Retention Requirements

Even if a business only had one set of email retention requirements to comply with, it would still be challenging to ensure emails were securely stored in an environment where they would remain a reliable source of information while always being available. When a business has to comply with multiple email retention requirements, the challenge becomes even more complex.

One of the most effective ways to resolve the challenge of multiple email retention requirements is with a cloud-based email archiving solution that archives emails in real time to ensure their integrity – indexing them as they are archived to facilitate fast searches and recoveries, and deduplicating the content of each email to minimize storage space.

Archiving emails in real time has the advantage of freeing up space on the mail server (which can help prevent emails being corrupted) while making emails easily recoverable in the event of an accidental deletion. The solution also allows businesses to set retention periods per content type so they are automatically deleted when no longer required and comply with “right to be forgotten” requests when state laws adopt provisions similar to the EU´s General Data Protection Regulation.

FAQs

Why are backups not suitable for long-term email storage?

Backups of emails are created to recover entire mailboxes in the event of corrupted data, such as a ransomware attack. Recovering emails from backups can be a major challenge. The correct backup media must be found, which means the date of the emails must be known, and backups cannot easily be searched. This is why email archives are necessary for long term email storage – they can be searched and allow emails to be quickly and easily located.

What are the main benefits of cloud-based email archiving solutions?

IT teams may prefer to keep email archives on-premises where they feel they can better secure them, but there are several advantages of cloud-based archives. Storage capacity is never an issue due the scalability of the cloud, maintenance of the hardware is handled by the service provider, there is no need to purchase and upgrade disk or tape systems, and backups are automatically performed. The cloud can be as secure as on-premises systems and is often more cost-effective.

Are email archiving service providers classed as business associates?

It is likely that email archives will contain emails that include protected health information, so email archiving service providers are classed as business associates under HIPAA and are required to enter into a business associate agreement with HIPAA-covered entities.

Are there data retention requirements for medical records under HIPAA?

HIPAA data retention requirements do not cover patient medical records; however, there may be requirements to store medical records for a minimum time under state laws.

What happens if it I not possible to recover emails from backups?

In the event of a compliance investigation, the failure to produce requested emails is akin to having deleted those messages and severe financial penalties can be imposed. It is also a legal requirement to produce emails to support litigation if ordered to do so by a federal court. The failure to produce the requested emails can have serious consequences.

What happens if you have emails due for deletion under GLB, but still required for SOX or IRS email retention requirements?

GLB allows businesses to retain emails for longer than two years after the provision of a product or service to a customer if they are otherwise required to be retained by law or regulation. Therefore, you would index the emails to be kept for the longest necessary retention period.

How do you know in advance if the content of an email will be required in the future to support a civil or criminal court case?

You don´t. All you can do is archive the email for as long as is required by your state´s Statute of Requirements or any relevant federal data retention laws – after which you would not be expected to produce evidence in support of – or in defense of – a civil or criminal court case.

What are HHS email retention requirements?

These are the record retention requirements required by various agencies of the Department of Health and Human Services. Some requirements exist to comply with HIPAA (i.e., policies, risk assessments, and Notices of Privacy Practices must be retained for six years from when they were last effective), while others exist to comply with CMS´ requirements for Medicare cost reports.

What are the PCI DSS data retention laws in the US?

The Payment Card Industry Data Security Standard (PCI DSS) applies throughout the world to any business that stores, processes, and/or transmits cardholder data. The latest standard (v4) requires account data storage to be kept to a minimum through the implementation of data retention and disposal policies – although there are no minimum or maximum retention periods stipulated.

What is the GDPR´s “Right to be Forgotten”?

The right to be forgotten (Article 17 of the General Data Protection Regulation) allows EU citizens to request that any personal data maintained by a business is permanently erased. While the right is subject to certain conditions, businesses that maintain the personal data of EU citizens must be able to find and delete the information or risk being fined for noncompliance.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist