Providers working with small computer systems have a recurring HIPAA-related quandary: How long do e-mails need to be kept before being deleted to make room for new information?
The length of time providers must keep old e-mails "depends on whether the emails are part of the patient medical record," Kristen Rosati of Phoenix, AZ-based Coppersmith Gordon Schermer Owens & Nelson reminds providers. Use state licensure, accreditation standards, and HIPAA's definition of a designated record set to make this determination.
"If the e-mail [is communication] with a patient about treatment, then that e-mail would be part of the designated record set and must be kept for 6 years" under HIPAA, Rosati advises.
To manage this, Rosati suggests printing any e-mails that should be part of the patient's medical record and adding them to the paper file. However, "if you're storing all your medical records electronically, your system definitely should be backed up in some way because you need to be able to re-create those records if there's ever some type of failure of the system," she cautions.
Remember to ensure security for paper records as well, she warns, including protecting them from hazards such as water and fire damage, among others.
The Bottom Line: Consult the state guidelines on "medical record keeping and what the expectations are" first to determine what is part of a designated records set, advises attorney Bill Sarraille with Sidley Austin Brown & Wood in Washington. To save system space, print e-mails that should be part of the patient's medical record, but remember to apply reasonable security safeguards to protect them.