Granular retention schedules allow healthcare organizations to precisely classify and manage emails based on their content. The approach reduces the risk of non-compliance, over-retention, and premature deletion, improving data security and operation efficiency.
Granular retention schedules are detailed frameworks that specify how long records should be kept based on precise categories and criteria. Unlike broad retention policies that might group data into large categories, granular retention schedules break down information into more specific segments allowing for tailored management of different data types.
The Privacy Rule requires that protected health information (PHI) is secure while allowing for necessary access, the Security Rule on the other hand requires that electronic PHI (ePH) is secure. Granular retention schedules ensure that the retention period aligns with both by securing ePHI for the required period without over retaining them and increasing the risk of exposure.
HIPAA does not set specific retention periods, according to the HHS, “...HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.” There is however the potential for audits and patient requests for data that require healthcare organizations to ensure PHI and related information remains accessible.
Granular retention schedules allow healthcare organizations to categorize emails based on their specific content and access needs. Each category can then be assigned a tailored retention period, which keeps it for the desired length of time.
Use secure methods of communication:
Classify emails by HIPAA related categories:
Automated PHI detection and classification:
Segregate PHI from nonPHI communications:
Short retention for nonessential emails:
Retention logs and audit trails:
Routine administrative messages that do not contain or relate to PHI or any other sensitive operation information.
The Security Rule, specifically Section 164.312 (b) requires the implementation of audit controls including mechanisms to record and examine activity in information systems.
It does not specify a time period but organizations are expected to conduct regular audits based on their risk assessment.