Email Archiving Compliance in Healthcare

Email archiving compliance in the healthcare industry requires emails to be retained for a minimum time period and for archived emails to be stored securely to prevent unauthorized access. The Health Insurance Portability and Accountability Act (HIPAA) does not specifically mention email archiving, but the HIPAA Security Rule does demand that any electronic protected health information must be protected to ensure its confidentiality and integrity, and PHI must always be available when it is needed.

HIPAA Email Archiving Compliance

Email archives are used for the long-term storage of email data. In contrast to email backups, archives can be searched. Emails are indexed and tagged prior to being sent to the archive and searches can be performed to quickly find email data when it is needed. An email archive therefore meets the availability requirement of the HIPAA Security Rule.

Email archives preserve an original, tamperproof copy of an email to preserve the integrity of email data. If email data is changed, an audit trail is maintained showing any changes that have been made, when they were made, and by whom. Cloud-based email archiving services encrypt data at rest and in transit to preserve the confidentiality of email, and access controls can be set to prevent unauthorized access. If you set up your own email archiving solution, access and audit controls must be applied to ensure compliance. You must also carefully consider encryption if you are storing your email archive within your own IT infrastructure. If the decision is taken not to use encryption as other equivalent safeguards are used, the decision process must be documented.

Minimum Email Retention Periods

While HIPAA does not specify a minimum email retention period, there is a minimum data retention period of 6 years for certain HIPAA documentation from either the date of creation or the last effective date, whichever is later. Those retention periods apply to all electronic forms of data, including email.

Records that need to be retained include information security policies and procedures, privacy policies, notices of privacy practices, designation that an organization as a covered entity or business associate, HIPAA assessments, signed authorizations, designated record sets, accounting of disclosures of PHI, documentation of titles of persons responsible for HIPAA compliance, and other HIPAA documentation.

Email archiving compliance in healthcare is not only about HIPAA. There are other legal requirements for retaining email data, such as for eDiscovery purposes. Federal and state laws also require email data to be retained. Internal Revenue Service (IRS) regulations require tax data to be kept for 7 years, Food and Drug Administration (FDA) Regulations may apply to some covered entities and business associates, and there may be obligations under the Freedom of Information Act (FOIA) or PCI DSS. It is important to seek legal advice to identify the legal email archiving compliance requirements and minimum email data retention periods to ensure you are fully compliant with all regulations.

An Email Archiving Service is the Easiest Solution for Healthcare Email Archiving Compliance

The easiest way to ensure compliance with email archiving and data retention requirements is to use an email archiving service. Companies offering email archiving as a service (EAaaS) for healthcare organizations ensure that email archives are stored securely and are protected with encryption. Email data sent to the archive and restored will be protected with end to end encryption to prevent interception of email data in transit. Email data will automatically be backed up to protect against data loss, and Service Level Agreements (SLAs) will usually be offered guaranteeing email data will always be available.

EAaaS companies will ensure there is always sufficient storage space available, in fact, many companies offering EAaaS will not place an upper storage limit on archived data so you can be certain you will never run out of storage space.

You can set your email retention policies and email archiving will be fully automated, eliminating the potential for human error. These services usually allow you to set your minimum data retention periods and securely delete data automatically when the retention period is reached. EAaaS is a set and forget solution that makes email archiving compliance simple, and takes all the complexity out of email archiving.


Why are backups not suitable for long-term email storage?

Backups are not suitable for long-term email storage as they cannot be searched. Since backups are made daily, weekly, and monthly, storage space can become an issue and finding the right backup that contains the required emails may be an almost impossible task. These issues are avoided with email archives, which contain structured data that allows the rapid search and retrieval of email data on demand.

Are all email archives suitable for meeting legal requirements?

Some email archiving solutions do not preserve the integrity of emails and do not create tamperproof copies which means the emails could potentially have been altered. In order to meet your legal obligations, an audit trail must be maintained showing who has made changes, when the changes were made, and a copy of the original email must be preserved.

Can emails be deleted once the minimum retention period has been reached?

Yes. Emails can be deleted when the minimum retention period has been reached, provided there is not a legal hold on those emails. Email archiving solutions allow policies to be applied that will automatically delete emails once the retention period has been reached.

Which is better, on-premises or cloud-based email archiving?

Both options are perfectly acceptable for archiving emails, although cloud archives have several advantages. No space needs to be devoted to hardware, no hardware maintenance is required, backups do not need to be performed, there is no risk of hardware failure as email data are replicated across multiple locations, and you will never run out of storage space in the cloud. Cloud archiving can also be more-cost effective.

How does the EU’s General Data Protection Regulation apply to email data?

The General Data Protection Regulation only permits the personal data of EU residents to be retained for as long as is required to achieve the purpose for which data were collected and are being processed, except when retention is required for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes and when required to do so by law.

Immediate Access

Privacy Policy