Understanding and adhering to the Health Insurance Portability and Accountability Act (HIPAA) retention requirements is crucial for healthcare organizations and their business associates. While HIPAA doesn't mandate specific medical records retention, it does set clear guidelines for retaining other HIPAA-related documents. This post guides you through configuring retention policies in Microsoft 365, a pivotal aspect of security and compliance for Microsoft cloud.

HIPAA Data Retention Standards

HIPAA requires retaining certain documents, as specified in 45 CFR 164.316 and 164.530, for a minimum of six years from creation or last effective date. These documents include policies, procedures, actions, activities, and assessments related to HIPAA compliance and breach notifications. If state laws mandate shorter retention periods, HIPAA requirements take precedence.

Documents Subject to HIPAA Retention

The nature of the business determines which documents are subject to HIPAA retention. Common examples include:

• Notices of Privacy Practices

• Authorizations for Disclosures of Protected Health Information (PHI)

• Risk Assessments and Analyses

• Disaster Recovery and Contingency Plans

• Business Associate Agreements

• Information Security and Privacy Policies

• Employee Sanction Policies

• Incident and Breach Notification Documentation

• Complaint and Resolution Documentation

• Physical Security Maintenance Records

• Logs Recording Access to and Updating of PHI

• IT Security System Reviews

Configuring Retention Policies in Microsoft Purview Data Lifecycle Management

Although a retention policy can support multiple services that are identified as "locations" in the retention policy, you can't create a single retention policy that includes all the supported locations:

• Exchange mailboxes

• SharePoint sites or SharePoint classic and communication sites

• OneDrive accounts

• Microsoft 365 Group mailboxes & sites

• Skype for Business

• Exchange public folders

• Teams channel messages

• Teams chats and Copilot interactions

• Teams private channel messages

• Viva Engage community messages

• Viva Engage user messages

If you select the Teams or Viva Engage locations when you create a retention policy, the other locations are automatically excluded.

In this post we will provide a step-by-step guide to setting up three main retention policies.

Company data retention policy

1. From the Microsoft Purview compliance portal, select Data lifecycle management > Microsoft 365 > Retention Policies.

2. Select New retention policy to start the Create retention policy configuration, and name your new retention policy.

3. For the Assign admin units page: keep the default - Full directory.

4. For the Choose the type of retention policy to create page, select Static.

5. On the Choose locations page, toggle on SharePoint classic and communication sites and Microsoft 365 Group mailboxes & sites locations.

6. Complete the configuration as on the picture below

7. Select Next and Submit.

User data retention policy

1. From the Microsoft Purview compliance portal, select Data lifecycle management > Microsoft 365 > Retention Policies.

2. Select New retention policy to start the Create retention policy configuration, and name your new retention policy.

3. For the Assign admin units page: keep the default of Full directory.

4. For the Choose the type of retention policy to create page, select Static.

5. On the Choose locations page, toggle on Exchange mailboxes and OneDrive accounts.

6. Complete the configuration as on the picture below

7. Select Next and Submit.

Teams channels retention policy

This policy applies to messages from channel conversations and channel meetings, however, doesn't apply to Teams private channel messages.

1. From the Microsoft Purview compliance portal, select Data lifecycle management > Microsoft 365 > Retention Policies.

2. Select New retention policy to start the Create retention policy configuration, and name your new retention policy.

3. For the Assign admin units page: keep the default - Full directory.

4. For the Choose the type of retention policy to create page, select Static.

5. On the Choose locations page, toggle on Teams channel messages.

6. Complete the configuration as on the picture below

7. Select Next and Submit.

By leveraging Microsoft 365’s retention policy tools, healthcare organizations can maintain compliance with HIPAA standards, ensuring that critical documents are preserved for the required duration while optimizing data governance.

Remember, while technology can aid in compliance, it’s essential to regularly review and update your policies to reflect any changes in HIPAA regulations or your organization’s practices. Stay informed, stay compliant!

To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.