Any recommended strategy for 6 year data retention.

I'm working in a HIPAA environment and we have a 6 year data retention requirement.

Wondering if anyone has a good strategy?

We're trying to figure out:

  • Should we try to keep all the raw data?
  • Are archived reports acceptable to meet the HIPAA requirement?
  • Should we just send reports to an email distro to archive them?

Please share your experience or thoughts.  Trying to stimulate discussion.  We are still formulating our policy.