Problem solve Get help with specific problems with your technologies, process and projects.

HIPAA regulations concerning archived e-mail

Are there provisions contained within HIPAA regarding the retention/archiving of e-mail communications?

HIPAA doesn't specifically mention the retention of e-mails, however there is a six-year retention rule for security and privacy policies, procedures, documentation of complaints, etc. The purpose of this requirement is to help with follow up reference, complaint investigations, etc. There's certainly a lot of room for interpretation, but the bottom line is there's always a possibility that e-mail communications that come under review by HHS could be included in this requirement. Obviously, keeping a record of all e-mails is not going to be a simple task both from a procedural and technical perspective, but it could be in your organization's best interest. Having said all this, and graying the situation even more, this will ultimately have to be a business decision made by your upper management and legal counsel.

  • Ask the Expert: Encrypting e-mail and what is considered confidential under HIPAA
  • Ask the Expert: Securing e-mail under HIPAA
  • Featured Topic: HIPAA update

  • For more information on this topic, visit these other resources on SearchSecurity.com:
    This was last published in June 2003

    Dig Deeper on HIPAA

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.