Data retention and HIPAA compliant email

Emails contain a wealth of sensitive information that creates a history of every transaction the organization completes. For this reason, HIPAA’s data retention requirements allow for guidelines on handling this information's lifecycle. 

What is data retention? 

Data retention is the process of storing and managing data for a specific period. Its function is to ensure that this data is accessible and secure for future purposes. The information retained varies depending on the industry. In financial records, employee access to accounts may be key, while in healthcare, the necessary data may shift towards data defined by HIPAA as protected health information (PHI).

How data retention in email works 

Email archiving facilitates the data retention of email communications. According to an Email Arching overview by M. Lamorte,” Simply put Email Archiving is the Information Simply put Email Archiving is the Information Lifecycle Management of Emails.” This means that email archiving is the management of emails from their creation to their disposal allowing for them to be retained securely and therefore remain available when necessary. 

This is how email archiving works:

• The archiving system automatically captures copies of all incoming and outgoing emails. 
• Emails are stored in a secure, centralized repository separate from active email systems. 
• Emails and attachments are duplicated and archived. 
• Archived emails are then indexed to facilitate easy search and retrieval. 
  
  

HIPAA compliant email and data retention

According to 45 C.F.R. § 164.530(j), “A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.”

The reason for HIPAA’s retention requirements is the possible future need for access to information necessary upon patient request, legal request, or in the event it assists in supporting an audit. Email, being one of the most detailed records of patient care and administrative processes, is a necessary focus in HIPAA compliant data retention.

The steps to implementing data retention in email 

Develop email retention policies: 

• Establish how the length for which emails need to be retained. For example, emails have to be retained for six years if they patient related and three years for administrative emails. 
• Create clear and written email retention policies that outline the rules for storing, accessing, and deleting emails.

Choose an email retention system: 

• Choose HIPAA compliant email systems that support secure email archiving. 

Implement email archiving:

• Configure email systems to automatically archive emails based on your retention policy. 
• Make sure archived emails are stored secretly with encryption both at rest and in transit. 

Implement legal holds:

• Establish a process for placing emails under legal hold when they are relevant to litigation or audits. 
• Use your email retention system to apply and track holds. 

Email deletion and disposal:

• Create systems and assign staff roles to implement delete emails once they reach the end of the retention period. 
• Use secure disposal methods that permanently erase emails from all storage systems in a way they cannot be recovered. 
  
  

FAQs

What is ePHI?

Electronic protected health information refers to any health information that is stored or transmitted electronically and is protected by HIPAA. 

What are secure methods to dispose of ePHI?

Secure deletion software or physical destruction of storage media.

How long should the PHI of deceased patients be retained by healthcare providers?

Healthcare providers should retain the PHI of deceased patients for at least six years.