HIPPA is going to require you to keep email records. If your practice routinely sends or receives email containing Protected Healthcare Information (PHI) and you don’t have an E-mail retention plan or policy, you have a problem!
While there is no hard standard within the HIPAA framework, pertaining to email retention. However not doing so can still lead to issues both regulatory and legal. Under the HIPAA rule, patients have the right to request access to communications containing their PHI for a period of Six Years. As email is a form of communication it stands to reason that SIx Years should be the proper retention period.
Methods of retention will vary depending upon the email service and client software used. For example if a practice were using Microsoft Outlook, moving the outlook .pst file for each user to the server would enable backups of all email to be done on a regular schedule and retention to be enforced by the backup software.
Other hosted email services will require a detailed discussion with the service provider to ensure retention. Also keep in mind that these backups will need to be encrypted. You will be covering this with your practices encryption policy and HIPAA guidelines.
Just as important as the actual backup process. Is retention of the email is a clear policy regarding email security and retention! It is important to have a clearly stated policy. By doing this you will direct all staff members using email to be trained and to be familiar with. Will help to prevent accidental erasure and insure proper handling of PHI.
HIPPA is about reducing Risk
Having these things in place greatly reduce your practice’s risk of negative audit findings, negligent breach findings and future litigation. Failure to implement these simple steps could result in high legal awards to patients. This could also increase the possibility of breach in the future. It is important to invest a little time and reduce your email risk!