Any idea how long emails need to be kept?

January 19, 2011 at 13:11:41
Specs: Windows XP
We're a small healthcare facility, open since 2000. Backing up the computer system weekly with 11 years' worth of emails is costing us money for the tapes that we really can't afford. Very few of the emails contain confidential information. Please advise. Thanks!

See More: Any idea how long emails need to be kept?

Report •


#1
January 19, 2011 at 13:24:11
Hopefully none of them contain confidential information. There is zero protection on almost every email system. They are open to being monitored over the internet.

Two issues. Legal reasons. Your legal department would need to advise on that.

Second is corporate rules. What do they want to keep for how long?

Third is you should make some rules about what to save and what to delete. Seems you are saying that every email has been saved. Make rules to reduce or eliminate useless emails.

I doubt any email over 7 years would be of value but better check that.

Why did it take me over a year to phone in a problem to ATT?


Report •

#2
January 19, 2011 at 13:26:41
Also consider off-site management. Then backup only what is current.

Why did it take me over a year to phone in a problem to ATT?


Report •

#3
January 19, 2011 at 13:54:55
Thank you for your input! Good suggestions...

Report •

Related Solutions

#4
January 19, 2011 at 14:17:53
NancyRybski I also work for a healthcare agency.

You are under NO obligation to keep ANY email. That requirement is only for publically traded companys [SOX act]

You are under HIPAA. HIPAA has NO obligation you keep emails. You only have the obligation of keeping them private which btw is best done by deleting them after a predetermined amount of time.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#5
January 19, 2011 at 14:19:57
Excellent! Thank you so much!

Report •

#6
January 19, 2011 at 14:28:14
If you are using Outlook with out an Exchange Server then there is a limit on the size of the PST file. I think it is 2GB. Might want to keep that in mind. Just archive periodically to the archive.pst and back it up.

Also, have you tried the Tapes. Some Tapes only have a 10 Year Shelf Life. They may not be readable any more.

Personally I run backups on redundant NAS drives and swap them out when they get full or fail. They are much cheaper than tape.


Report •

#7
January 19, 2011 at 17:37:39
Legal department ought to advise you. Various law suits result from emails. Some may indicate legal issues that the company may wish to be protected from. Protection from everything from workplace violations to violations of the law may sometimes be indicated in saved emails. It would be in the best interests of a company in my opinion to save emails and other documentation for at least some time to cover legal proof. While it may not be a requirement it may end up being practical business methods.

Why did it take me over a year to phone in a problem to ATT?


Report •

#8
January 19, 2011 at 22:02:17
http://www.advocatemd.com/Documents...

is a good medical industry email guideline. Though I was surprised to see that the author missed quoting 42 CRF in the signature.

"Not having any email retention policies inevitably will result in amassing vast volumes of communications that are costly to retain, even more expensive to search through in response to discovery requests, and may unwittingly supply information that is harmful to the organization if disclosed in response to discovery requests."

from here:
http://www.thefreelibrary.com/Busin...

the article goes on to point of the other end of the extreme of deleting all email.

A medical practice should have thought about and implemented polices that resulted in a course of practice and action that limits the liability of the individual as well as the organization. Compliance with all laws, accreditation/licensing organization [JACHO/CARF] rules along with State requirements all come into play in the creation.

In other words just because its not demanded/a law that says you have to retain email doesn't mean its not in your best interest to keep some for a limited amount of time. Objective is to find the balance that works for you.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#9
January 20, 2011 at 06:03:56
I appreciate all the good advice. Thanks!

Report •

#10
March 4, 2011 at 09:07:36
What about FRCP? That applies to pretty much all US companies doesn't it?

Report •

#11
March 4, 2011 at 10:30:15
My understanding is FRCP only pertains to email in relation to lawsuits. This is why its important to have a email retention policy

"FRCP Rule 37(f) protects companies from sanctions for deleting email as part of “routine, good-faith operation.” This so-called safe harbor provision protects companies that delete email as part of ordinary business activities.

However, “good faith operation” also includes the obligation of the party to make sure that employees cannot delete messages once they are put on “litigation hold.”

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#12
June 7, 2011 at 11:35:06
FRCP actually stipulates that ANY entity, no matter the profit status or size, that can be held to discovery rules in the federal court system MUST retain email in original form (IE, include all fields, meta data, etc). Rule 26 may allow a court to side with the party requesting discovery and if your retention policies are inadequate you may find yourself in violation of court rules and otherwise in legal hot water. As a result some companies are retaining well beyond the 90 day line commonly thought of as 'acceptable' if they are in a position to be sued.

Your HIPPA rules actually talk to privacy issues, security of private information, etc and are separate and in addition to FRCP requirements - council for your organization will be able to answer what emails may be destroyed/deleted permanently in relation to the FRCP requirements/retention policy requirements.

Additionally, if you have ANY email communications abroad electronically you may be held to additional email retention rules such as SOX if communicating to the UK/Europe for instance.

And don't forget how ESI applies to your other forms of electronic data and retention policies for those as well in relation to FRCP


Report •

Ask Question