- Jurisdiction
- US Federal Law
Does corporate email containing conversation of PHI for a covered entity fall under the 6 year HIPAA retention requirement? Refer to §164.530 (j)(2) HIPAA Administrative Requirements
I'm thinking the 6 year HIPAA retention policy applies to the Electronic Health Record (EHR) that would be found in an application like Epic that stores the original health record and not email since email would contain conversation containing copies of PHI found in the EHR app. So as long as the EHR app is retaining the PHI for 6 years, it seems like we wouldn't need to retain email for 6 years and the retention of the PHI in the EHR app would be sufficient to meet the HIPAA retention requirement.
The reason I ask is I'm trying to see if we need to put an automated litigation hold on terminated employee's email in O365 to retain their email for 6 years or if we can just delete it after 90 days from O365.
I'm thinking the 6 year HIPAA retention policy applies to the Electronic Health Record (EHR) that would be found in an application like Epic that stores the original health record and not email since email would contain conversation containing copies of PHI found in the EHR app. So as long as the EHR app is retaining the PHI for 6 years, it seems like we wouldn't need to retain email for 6 years and the retention of the PHI in the EHR app would be sufficient to meet the HIPAA retention requirement.
The reason I ask is I'm trying to see if we need to put an automated litigation hold on terminated employee's email in O365 to retain their email for 6 years or if we can just delete it after 90 days from O365.