US Federal Law Does HIPAA 6 year retention apply to email?

acer123

New Member
Jurisdiction
US Federal Law
Does corporate email containing conversation of PHI for a covered entity fall under the 6 year HIPAA retention requirement? Refer to §164.530 (j)(2) HIPAA Administrative Requirements

I'm thinking the 6 year HIPAA retention policy applies to the Electronic Health Record (EHR) that would be found in an application like Epic that stores the original health record and not email since email would contain conversation containing copies of PHI found in the EHR app. So as long as the EHR app is retaining the PHI for 6 years, it seems like we wouldn't need to retain email for 6 years and the retention of the PHI in the EHR app would be sufficient to meet the HIPAA retention requirement.

The reason I ask is I'm trying to see if we need to put an automated litigation hold on terminated employee's email in O365 to retain their email for 6 years or if we can just delete it after 90 days from O365.
 
Does corporate email containing conversation of PHI for a covered entity fall under the 6 year HIPAA retention requirement? Refer to §164.530 (j)(2) HIPAA Administrative Requirements

I'm thinking the 6 year HIPAA retention policy applies to the Electronic Health Record (EHR) that would be found in an application like Epic that stores the original health record and not email since email would contain conversation containing copies of PHI found in the EHR app. So as long as the EHR app is retaining the PHI for 6 years, it seems like we wouldn't need to retain email for 6 years and the retention of the PHI in the EHR app would be sufficient to meet the HIPAA retention requirement.

The reason I ask is I'm trying to see if we need to put an automated litigation hold on terminated employee's email in O365 to retain their email for 6 years or if we can just delete it after 90 days from O365.
This is not something that should be left to random strangers on the internet. Speak to whatever corporate counsel your entity has.
 
Does corporate email containing conversation of PHI for a covered entity fall under the 6 year HIPAA retention requirement?

The rule you linked requires retention of four things:

(i) Policies and procedures.
(ii) A communication if it "is required by this subpart to be in writing."
(iii) Documentation of "an action, activity, or designation [that is] required by this subpart to be documented."
(iv) Documentation "sufficient to meet [the covered entity's] burden of proof under section 164.414(b)."

Section 164.530 appears in Subpart E of 45 CFR Part 164.

Your description of the email as "containing [a] conversation of [sic?] PHI for a covered entity" is insufficient to allow anyone to conclude intelligently whether or not the email fits into any of the four listed categories.


I'm trying to see if we need to put an automated litigation hold on terminated employee's email in O365 to retain their email for 6 years or if we can just delete it after 90 days from O365.

From this sentence, I conclude that you are an employee of a "covered entity." If you are uncertain whether or not any particular record needs to be retained for any particular length of time, you should confer with your supervisor and/or your employer's in-house attorney. Either that or simply retain it since the fractional cost of maintaining a single email is almost certainly negligible.
 
The reason I ask is I'm trying to see if we need to put an automated litigation hold on terminated employee's email in O365 to retain their email for 6 years or if we can just delete it after 90 days from O365.

Who is "we"?

Who are you in this scenario? CEO of the employer? Employee of the Employer? What position?

I see the words "termination" and "litigation" which suggests that the corporate CEO should be asking the questions of the corporation's attorney.
 
I agree with zddoodah's take on it. Keeing the email costs almost nothing so its not a terrible burden to keep it. Sometimes in situations like this and many others that come up through life, it is better to just take the path that will give you less of a headache or cost you less grief in the long run than trying to do it some other way that may be a little better for you now.

One other thing to note: since your company apparently has received some notice that the terminated may sue the company (and my guess is that you want to delete because the email might hurt your employer in that litigation) you should not dispose of records or anything else that may relevant to the matter until that legal matter is fully concluded. Dumping evidence like that is known as spoliation of evidence. If the judge becomes aware that spoliation has occurred the sanctions to you employer for doing it may lead to sanctions that includes shutting down parts of your company's defense in the lawsuit. Whatever sanctions the court imposes will likely hurt your empoyer more than just keeping that email.

Bear in mind, too, that simply hitting delete to get it out of your e-mail program does not completely wipe out that email everywhere. The party that received it, his/her/its ISP, and your company's ISP may also have copies of it, which makes the chances greater of the deletion being discovered.

While there is still any chance that this will go to court, your company should hold on to all those records unless your lawyer says that you are ok with deleting it.

Finally, if your company does not have a well planned out document retention policy it should get one. See a business law attorney about that. It won't help so much in this immediate case but it can be enormously helpful should another case arise. Disposing of records as specified in the retention policy can help the bad look that deleting a document shortly before the lawsuit is filed may otherwise create.
 
Last edited:
Back
Top