« FRE 502 Electronic Mail | Federal Cases | Main | Electronic Mail Erased »

September 19, 2008


Feed You can follow this conversation by subscribing to the comment feed for this post.

R W Dalton, CRM

Patient Records are retained under the retention policy for 20 after death. How do they know when a x-patient dies. As far as I can tell only if they happen to die at that location. Apparently, all their patients die after treatment. Think I would ask for a second opinion.

Unless you have access to all death notification throughout the world and match them against your database it is impossible for the location to destroy the records using a 20 year after death retention.


Since East Carolina is no doubt a public institution I wonder if their email retention policy complies with state records retention schedule for universities?

if one takes a look at the above they will see that emails are discussed but they are not listed as an individual item on the schedule. but I'm not surprised because as any professional records manager knows retention is determined by content and not media. Email is a transport method.

this same schedule provides various retention periods for videotapes depending upon what type of videos they are.

finally lets not use the term "archival" to describe a storage system. Archival has a specific meaning in the records and information management profession. It means primarily that the item primarily has a historical value to the institution.

Benjamin Wright

pak152: Thank you for your comment. You said: "retention is determined by content and not media. Email is a transport method." The content-determined standard for records retention does not seem to work for e-mail. E-mail is so voluminous, and it mixes so many kinds of content, that it is impratical to set a content-based retention period for it. The seemingly smarter approach is to retain all e-mail of decision-makers a good long time, like 7 years (and motivate them to take their personal e-correspondence to a personal account, such as at yahoo or hotmail). What do you (and others) think? --Ben


In addition to agreeing with pak152's comments about e-mail not being a records series of its own, I will note that the "archival" (your use not mine) technologists where he and I work are now beginning to understand that "archiving" and disposition (disposal/destruction as well as LTDP) are not separate animals, and that with a little effort the retention rules pursuant to legal, regulatory, and valid business requirements can be applied to the "archived" records.

Seven years may be the limit to many financial obligations, but considering patients records are death +20 years, I can surely imagine some e-mails having longer than 7 years retention needs based on their subject matter.

In the US (SSA) there is a government website where you can enter a person's SSN and see get death verifications. Not sure if institutions such as hospitals search this database at intervals to determine disposal triggers for x-patient records.


Mr. Wright asserts:

"The content-determined standard for records retention does not seem to work for e-mail. E-mail is so voluminous, and it mixes so many kinds of content, that it is impratical to set a content-based retention period for it."

Unfortunately no matter how many times or how loud IT and others make this assertion, it will fall on deaf ears if used in conjunction with an organization that has an approved retention schedule in place for their records. If they have a policy for retention of records and a definition of what constitutes a record, then it applies to e-mail and all other forms of information within their organization. E-mail is NOT a "series", it is a method of conveyance.

If an organization has allowed e-mail to grow unchecked and hasn't established a policy of how to manage it, a knee-jerk decision to delete all e-mail older than X days or over an arbitrary volume WILL be viewed as selective destruction.

And as mentioned by others, a "E-mail archiving product" doesn't constitute an archive OR an electronic records management system, it's simply a repository used to manage copies of e-mail harvested at the server level.

The proper way to go about managing e-mail is to develop a policy that is consistent with existing records management policy that calls for non-record e-mail to be deleted within specified time frames and record e-mail to be managed along with other records for retention periods consistent with the approved schedule.

To go on shouting at the rain that there's too much of it to manage is ridiculous.

Larry Medina
RIM Professional

Benjamin Wright

Mr. Medina and pak152: I am grateful to hear your thoughtful comments. I'd like to understand your perspective better. Mr. Medina speaks of a "policy that calls for non-record e-mail to be deleted within specified time frames and record e-mail to be managed along with other records for retention periods consistent with the approved schedule." Question: As a practical matter, how does a large enterprise distinguish between "record e-mail" and "non-record e-mail"? In other words, how does it segretate the two kinds of e-mail so that one can be retained and the other deleted? Further, I surmise that for "record e-mail" you envision various retention periods depending on e-mail content. By what practical means do you envision "record e-mail" be divided into the various retention periods? Do you expect e-mail users manually to examine each e-mail and decide whether it is a non-record e-mail, or it is a record e-mail that fits in category X, or Y or Z? Thank you. --Ben



Policy typically determines what constitutes a record- as a general rule, it's anything that documents a business decision or transaction, or provides instruction/guidance to others in a business context. I think one way to look at it is if an office manager/administrator is sorting though the postal mail on receipt, there may be POs, Contracts, Invoices, Correspondence, Data Requests, Invitations to a picnic, blind solicitations from vendors, magazines, trade journals, etc. Some of this is decided to constitute a business record, others are not. The non-records are typically recycled, or sent for a cursory review and then recycled, the balance (the records) are then "actioned" for lack of a better term.

And yes, you're right they all have differing retention periods, some based on a legal or regulatory requirements, some based on this plus any business needs that may exceed the required retention. And on a daily basis, businesses made these decisions routinely... on receipt.

One way some organizations are doing this involves establishing some rules that are "role based" depending on the threshold of responsibility or authority associated with the level and functional role an individual holds in an organization. IT STILL requires a decision be made of "record or non-record" based on the organization's definition, but the second decision can either be made based on a period assigned to ALL e-mail that the individual declares a record (and naturally, some would be kept too long, and hopefully very little would not be kept long enough) or there could be two options- one for CY plus 2 years, and one for CY plus 7 years, which may be the longest retention associated wit the role and function of the individual.

Over time, these periods could be "tweaked" and adjusted to be more appropriate, and if the resulting repository is checked for accuracy, a threshold could be set for X% after which the retention could be applied more 'automagically'

It's not ME that expects it, it's EVERY organization that should. The option is to save everything for the maximum retention, and depending on the industry you work in, that could be upwards of 25 years. Given that many studies show that 75-80% of all e-mail is non-record, imagine how much additional cost an organization would be exposed to if taking the easy way out and keeping everything... NOW, imagine the risk they'd be exposed to if they kept this much information and 80% of it posed an undue risk during a discovery action. The extra time to search though it alone would be ridiculous.



" As a practical matter, how does a large enterprise distinguish between "record e-mail" and "non-record e-mail"? "

The same way it handles the thousands of pieces of physical mail that arrives every day. Individuals open the envelopes (email) and read the content. Once they have read the message they determine where is the best place to file the item. What is the main topic of the item? If related to a contract you would file it with the contract.

If physical mail were handled the same way that IT proposes handling email then organizations would gather up all the physical and place it one large room with no rhyme or reason for filing. individuals would have to comb through all the mail to locate what they are seeking. But of course they are filed one way and that is chronologically since we must through out all mail after 3 years. Now we know that a letter can effectively serve as a contract or modify a contract. But since we don't file the letters any longer with the contract itself we will throw it out after 3 years, but 2 years later we're in litigation and that letter is key to our defense and we no longer have it. Gee what a shame.
Organizations need to provide better training to their employees on how to handle email, something they really don't do today.

There are email software products on the market that can capture emails based upon content and metadata. The problem is it takes time to develop the rules. IT finds it easier just to throw all emails into one giant bucket and hope that they don't have to find something


Benjamin Wright

Larry and Peterk: Thank you for these valuable comments. We are discussing a very interesting and challenging subject. In order to give the topic the attention it deserves, I am peeling off a piece of it and starting a new post at http://legal-beagle.typepad.com/wrights_legal_beagle/2008/09/e-mail-instant-text-message-record-destruction.html. I'd be honored to hear what you or anyone else thinks. Readers are welcome to continue leaving comments on this thread, and they are welcome to leave comments under the new post. –Ben

Janice Brown

To whom this may concern:

I live in NYC, I would like to know if it is against the law to email Medical records? And, if it is can you tell me where I can find the information for my state.

Yours truly,

Ben Wright

Janice: Thank you for your inquiry. This blog is not the place for delivery of legal advice for specific situations. The answer to your question might depend on many specific facts. For example, my guess (without having researched the topic) is that no law forbids a patient from e-mailing her own patient record to someone else. On the other hand, some people might argue that it is unwise under HIPAA for a hospital to send a patient record via e-mail without encryption. --Ben

Joel Bernabe

I am a NYC public high school teacher. I was injured in school with malice intent by the secretary of our assistant principal. No one saw the incident, but there were teachers and students who saw me before and after the reported contusion (resulting to a concussion) within a 10 to 15 minute time frame. I went to our schools' nurse and noticed the redness in my nose, swelling of my right eye, and bruising and swelling of my right cheek. She gave me an ice pack. I reported the incident immediately to my supervisors. I was taken to my doctor's office by a fellow employee. The doctor immediately ordered that I go to the nearest hospital (Saint Vincent's) for further medical evaluation and treatment. I was then seen by a neurologist (NYU Hospital) and a pain management specialist (Hospital for Special Surgery.

I would like to request for a legal opinion if our assistant principal (his secretary was the one involved in the incident, and the continued verbal harassment- this time in the presence of others) to call my primary care doctor to change data in the submitted medical evaluation? He repeatedly requested (three times) that changes be made by my doctor in my medical record arguing that there was no incident of her secretary's pushing the door that resulted to my injuries. My doctor chose not to respond knowing that this is a federal violation of patient-doctor privilege and the Privacy Act.

The comments to this entry are closed.

Wright's Online SANS Education

Jackson County Case Study

IT Administrators


  • Follow benjaminwright on Twitter

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo


  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training


  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog


Become a Fan

Find More on This Blog