Retention, Management & Disposal

Ineffective wireless encryption

Taped-over door lock on data room

Inadequate passwords

Computers without adequate log-off

Disabled audit logging

Unencrypted email and laptops

Former employees with inappropriate network access

These vulnerabilities and more (a total of 151) were found at seven large hospitals during a round of audits by the Department of Health & Human Services. Although these vivid examples point to hospital systems, HIPAA applies also to many other types of covered entities and business associates including, of course, physician practices. These non-hospital providers are most likely even more vulnerable to such lapses as they are less likely to have dedicated information technology staff, legal departments, and formalized record-keeping practices.

Some old problems never seem to go away. Email retention remains an obstinate dilemma for far too many organizations. Volumes continue to mount, with business email totaling 109 billion messages every day, and forecasted growth of 7 percent each year. Email archives and cloud email solutions address the symptom of overburdened servers, but these strategies do nothing to tackle the core problem, which is too much email, kept too long. And the cost of email retention outstrips the cost of email storage, in large part due to e-discovery expense in future litigation.

The cold, hard truth is that the persistent problem of email volume will not be solved with technology alone. What’s needed, and frankly overdue, is a bit more organizational discipline and direction on email retention.