Email Retention Requirements for HIPAA Often Misunderstood
HIPAA requires that certain emails and other electronic communications be retained for a set period, but covered entities often misunderstand exactly what must be saved and for how long.
The Security Rule requires healthcare organizations and health plans to retain electronic communications containing HIPAA policies and procedures for at least six years, says Matt Fisher, JD, general counsel for Carium, a telehealth and remote patient monitoring company based in Petaluma, CA. The material must be retained for at least six years, and the protected health information (PHI) in these communications must be protected.
The good news is HIPAA does not require archiving all email. “It’s really focused on documents that pertain to the actual compliance efforts with HIPAA. The requirement is for your security incident logs or any investigation or risk analysis — that type of stuff where it’s material that worked toward demonstrating your compliance with HIPAA,” Fisher explains. “That’s when the data retention period under HIPAA applies. For other types of documents, there are different regulations that apply. Often, there are state-level requirements that are different time periods.”
Email retention for a healthcare organization is confusing in general, says Justin Frazer, JD, director of healthcare sensitive data at the New York City office of Mazars, a cybersecurity company. Frazer suggests that although HIPAA requires at least six years for certain electronic communications, covered entities should consider extending that period.
“For a healthcare organization to rely primarily on the six-year HIPAA requirement is unequivocally short-sighted since the healthcare organization is also subject to the document retention requirements from CMS as well as state regulations,” Frazer says. “As a compliance officer, I generally advise my clients to retain all records, including emails that contain PHI, for a minimum of 10 years.”
Retaining records for such a lengthy period is burdensome, expensive, and far exceeds the HIPAA requirement, Frazer says. But a 10-year retention period will adequately assure compliance to CMS and inconsistent statute of limitation requirements if the healthcare organization is operational in more than one state. A retention period that is longer and more inclusive than what HIPAA requires is more efficient than different policies for different documents.
PHI also should be backed up in case of data loss, says Toni Buhrke, CISSP, MBA, director of sales engineering at Mimecast, an email management company in Chicago.
“The guidelines also require any electronic communication that includes PHI to be shared using encryption through third-party solutions or services. If the email’s body contains PHI, the entire email must be encrypted,” Buhrke explains. “Healthcare professionals also are directed to encrypt attachments. IT teams deciding what level of encryption to use should consider the accessibility and ease of use for employees and patients to send and receive the communication, while ensuring that each email is inspected for compliance before it is delivered to a recipient outside of their organization.”
Employees must be careful not to mix up patient information or emails if they use non-encrypted personal devices, Buhrke says. Cyber awareness training can play a critical role in helping healthcare professionals understand how to comply and identify potential threats.
“Failing to follow the encryption and backup requirements outlined by HIPAA also can lead to the vulnerability and exposure of patient information, making the task of hackers easier. Improper storage and disposal of ePHI can result in HIPAA violations if healthcare organizations cannot access patient information in the event of a request, so having a viable backup and retrieval system is critical to compliance,” Buhrke says. “The loss of ePHI from successful hacks and data leaks results in thousands spent to settle any violation fines, with the price of each fine increasing in severity based on the responsible party’s level of negligence.”
HIPAA requires that certain emails and other electronic communications be retained for a set period, but covered entities often misunderstand exactly what must be saved and for how long. The Security Rule requires healthcare organizations and health plans to retain electronic communications containing HIPAA policies and procedures for at least six years.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.