HIPAA requires that emails containing protected health information (PHI) be securely managed, retained, and deleted to prevent unauthorized access and ensure compliance. While HIPAA does not specify exact deletion rules, it requires healthcare organizations to implement safeguards that ensure PHI in emails is permanently erased when no longer needed, in alignment with retention policies and security standards.
The HIPAA Privacy and Security Rules specify the guidelines for the use, storage, and transmission of PHI. These rules apply to all forms of communication, including email. According to the HHS, "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so."
Healthcare organizations can use HIPAA compliant email to communicate with patients, share medical records, and coordinate care among providers. However, they must always protect PHI from unauthorized access and ensure their email practices are HIPAA compliant.
HIPAA requires covered entities to retain certain documents, which may include emails containing PHI, for at least six years from the date of creation or the last effective date. The Security Rule clarifies that "A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.". These retention requirements ensure that health information is preserved for future reference or in case of audits.
Once the retention period has passed or if the email does not fall under HIPAA's documentation requirements, it can be safely deleted. However, deletion must be done securely. Simply moving an email to the trash folder is not enough. Healthcare organizations must use secure deletion methods that ensure the information is permanently erased and cannot be recovered.
Not deleting emails containing PHI properly, can lead to significant risks, including data breaches and unauthorized access. For example, if an email containing PHI is not securely deleted and is later accessed by unauthorized individuals, this could constitute a HIPAA violation. Such breaches can result in severe penalties, including fines, legal actions, and damage to an organization’s reputation.
Related: What are the consequences of not complying with HIPAA?
Use secure disposal methods to avoid the risks associated with improper email deletion. Tools and software that permanently erase data can ensure that deleted emails cannot be recovered. Additionally, healthcare organizations should ensure that any backup copies of emails are securely deleted according to the same standards.
Control access to emails containing PHI to maintain HIPAA compliance. Only authorized personnel should access such emails, and any deletion activities should be tracked through audit logs. These logs can help verify compliance in case of an audit or investigation.
Train staff members on the importance of secure email management. Employees should be educated on the organization's email retention and deletion policies and know the tools and methods for securely managing emails.
If your organization uses a third-party email provider, ensure they are HIPAA compliant. A business associate agreement (BAA) should be in place to outline the provider’s responsibilities regarding email retention and deletion. The BAA should specify that the provider will follow secure deletion practices to protect PHI.
Healthcare organizations should carefully evaluate their email provider's deletion practices. Ask questions about how emails are stored, how long they are retained, and how they are securely deleted. Verifying that your provider follows best practices helps maintain compliance.
Read more: The consequences of not having a BAA with an email service provider
Healthcare organizations can verify that deleted emails are unrecoverable by using data destruction tools that comply with industry standards, performing periodic audits of deletion practices, and ensuring that backup copies of emails are also securely deleted.
There are several tools and software available that specialize in secure email deletion, such as data erasure software and email archiving solutions with built-in secure deletion features. These tools can help ensure that PHI is permanently removed according to HIPAA standards.
Emails containing PHI can only be deleted after ensuring that their deletion does not conflict with HIPAA’s retention requirements or other legal obligations. Patient requests should be considered, but compliance with regulatory requirements must be prioritized.