Understanding and adhering to the Health Insurance Portability and Accountability Act (HIPAA) retention requirements is crucial for healthcare organizations and their business associates. While HIPAA doesn't mandate specific medical records retention, it does set clear guidelines for retaining other HIPAA-related documents. This post guides you through configuring retention policies in Microsoft 365, a pivotal aspect of security and compliance for Microsoft cloud.
HIPAA Data Retention Standards
HIPAA requires retaining certain documents, as specified in 45 CFR 164.316 and 164.530, for a minimum of six years from creation or last effective date. These documents include policies, procedures, actions, activities, and assessments related to HIPAA compliance and breach notifications. If state laws mandate shorter retention periods, HIPAA requirements take precedence.
Documents Subject to HIPAA Retention
The nature of the business determines which documents are subject to HIPAA retention. Common examples include:
Notices of Privacy Practices
Authorizations for Disclosures of Protected Health Information (PHI)
Risk Assessments and Analyses
Disaster Recovery and Contingency Plans
Business Associate Agreements
Information Security and Privacy Policies
Employee Sanction Policies
Incident and Breach Notification Documentation
Complaint and Resolution Documentation
Physical Security Maintenance Records
Logs Recording Access to and Updating of PHI
IT Security System Reviews
Configuring Retention Policies in Microsoft Purview Data Lifecycle Management
Although a retention policy can support multiple services that are identified as "locations" in the retention policy, you can't create a single retention policy that includes all the supported locations:
Exchange mailboxes
SharePoint sites or SharePoint classic and communication sites
OneDrive accounts
Microsoft 365 Group mailboxes & sites
Skype for Business
Exchange public folders
Teams channel messages
Teams chats and Copilot interactions
Teams private channel messages
Viva Engage community messages
Viva Engage user messages
If you select the Teams or Viva Engage locations when you create a retention policy, the other locations are automatically excluded.
In this post we will provide a step-by-step guide to setting up three main retention policies.
Company data retention policy
From the Microsoft Purview compliance portal, select Data lifecycle management > Microsoft 365 > Retention Policies.
Select New retention policy to start the Create retention policy configuration, and name your new retention policy.
For the Assign admin units page: keep the default - Full directory.
For the Choose the type of retention policy to create page, select Static.
On the Choose locations page, toggle on SharePoint classic and communication sites and Microsoft 365 Group mailboxes & sites locations.
Complete the configuration as on the picture below
7. Select Next and Submit.
User data retention policy
From the Microsoft Purview compliance portal, select Data lifecycle management > Microsoft 365 > Retention Policies.
Select New retention policy to start the Create retention policy configuration, and name your new retention policy.
For the Assign admin units page: keep the default of Full directory.
For the Choose the type of retention policy to create page, select Static.
On the Choose locations page, toggle on Exchange mailboxes and OneDrive accounts.
Complete the configuration as on the picture below
7. Select Next and Submit.
Teams channels retention policy
This policy applies to messages from channel conversations and channel meetings, however, doesn't apply to Teams private channel messages.
From the Microsoft Purview compliance portal, select Data lifecycle management > Microsoft 365 > Retention Policies.
Select New retention policy to start the Create retention policy configuration, and name your new retention policy.
For the Assign admin units page: keep the default - Full directory.
For the Choose the type of retention policy to create page, select Static.
On the Choose locations page, toggle on Teams channel messages.
Complete the configuration as on the picture below
7. Select Next and Submit.
By leveraging Microsoft 365’s retention policy tools, healthcare organizations can maintain compliance with HIPAA standards, ensuring that critical documents are preserved for the required duration while optimizing data governance.
Remember, while technology can aid in compliance, it’s essential to regularly review and update your policies to reflect any changes in HIPAA regulations or your organization’s practices. Stay informed, stay compliant!
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.
Commentaires