HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliant Email Archiving

HIPAA Compliant Email Archiving

Archiving Emails in Compliance with HIPAA

The Security Standards for the Protection of Electronic Protected Health Information (the HIPAA “Security Rule”) do not specifically mention email archiving, but there are provisions of the Security Rule that must be considered by HIPAA covered entities and their business associates that relate to email retention so healthcare organizations should consider archiving emails in compliance with HIPAA.

Under the Security Rule, healthcare organizations have to retain electronic communications containing HIPAA policies and procedures. The HIPAA email retention period for these communications is a minimum of six years. During this time, access controls and audit controls have to be implemented to safeguard the integrity of PHI and prevent improper modification or data deletion.

HIPAA compliant email archiving solutions incorporate the necessary controls to adhere to the technical, administrative and physical safeguards of the Security Rule. Furthermore, by archiving emails in compliance with HIPAA, healthcare organizations free up valuable space on their internal servers and help to prevent data destruction by dishonest or disgruntled employees.

How HIPAA Compliant Email Archiving Works

Email archiving solutions typically export emails to a service providers’ servers, where they are indexed to allow quick and easy search and retrieval. For HIPAA compliant email archiving, emails should be encrypted during export, storage and retrieval in order to protect the confidentiality and integrity of emails and any PHI they contain. If there is not end-to-end encryption, it opens up the possibility of a “man-in-the-middle” attack where data could be intercepted and viewed, and potentially altered.

Service providers responsible for archiving emails in compliance with HIPAA have to implement policies and procedures that enforce strict controls over who has access to archived emails. Auditing mechanisms must also be put in place to satisfy the requirements of the administrative safeguards of the HIPAA Security Rule.

Once archived in accordance with your HIPAA email retention policy, authorized personnel can search for and retrieve emails as necessary in order to extract data about a patient, support litigation or comply with an audit request from the Department of Health and Human Services. Sent emails can also be recovered to confirm proof of delivery.

The Benefits of HIPAA Compliant Email Archiving

Archiving emails in compliance with HIPAA not only releases valuable space on internal servers, but also offers other benefits for organizations in the healthcare industry:

  • The sophisticated indexing process catalogs email content, metadata and attachments in order to save time and money when data is required for e-discovery or compliance purposes.
  • Due to being stored on service providers’ servers, HIPAA compliant email archiving can be included as part of a healthcare organization´s Disaster Recovery Plan. In the event of a ransomware attack or other catastrophic event that corrupts email data, emails and attachments can be recovered from the archive.
  • Archiving emails in compliance with HIPAA also helps to prevent insider data theft or data loss due to user negligence – Which are behind around half of all data breaches.

Indeed, insider data theft by dishonest or disgruntled employees is a major concern for many healthcare organizations. The value of PHI on the black market is considerable due to the opportunities to obtain free medical care, commit identity theft, or insurance fraud.

The temptation proved too much for one South Carolina state employee who – in 2012 – forwarded the PHI of more than 228,000 Medicaid recipients to his personal email account. Fortunately his actions were detected before any damage was done; but how many other healthcare employees may violated HIPAA and stolen data in this way without being found out?

Email Archiving Compliance in the United States

In addition to the HIPAA email archiving requirements, there are email archiving compliance laws at the state level, and other federal laws that may apply to healthcare organizations that have have provisions covering email retention. The table below details some of the other minimum retention periods for email.

Legislation Applies to Minimum Email Retention Period
Internal Revenue Service Regulations All companies 7 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products 5 years to 35 years
Payment Card Industry Data Security Standard (PCI DSS) Credit card companies and credit card processing organizations 1 Year

Speak with TitanHQ About Email Archiving Compliance

TitanHQ is a leading provider of online security solutions for the healthcare industry and, in ArcTitan, the company offers a complete cloud-based, HIPAA compliant email archiving solution. ArcTitan archives healthcare organization’s emails securely, with authorized users able to safely search, view and retrieve emails via an Outlook email client or any web browser.

The solution for archiving emails in compliance with HIPAA is compatible with all major mail servers and email services, includes full email audit functionality, can be accessed remotely, and is scalable to over 60,000 users. ArcTitan is deployed on AWS to spare internal resources and reduce an organization’s onsite data footprint while guaranteeing the same level of security as an on premise solution.


Does HIPAA require encryption for emails?

Emails containing PHI can be sent internally without encryption, provided the email system sits behind a firewall. End-to-end encryption is required if PHI is sent externally and access controls are necessary to prevent unauthorized access to email accounts.

Are there any hidden costs with email archiving?

Costs can vary considerably so you should evaluate several email archiving solutions. Some email arching solution providers charge per mailbox, regardless of whether that mailbox is active. If an employee leaves the company, it would be necessary to continue paying for that employee’s mailbox. Some solution providers only charge for active mailboxes.

Are email archives HIPAA compliant?

Not all email archiving solution providers offer a HIPAA compliant email archiving service. In order to be HIPAA compliant, the solution must meet the requirements of the HIPAA Security Rule and protect PHI at rest and in transit to prevent unauthorized access. The service provider must also be willing to sign a business associate agreement.

Are cloud email archiving service providers required to sign business associate agreements?

A cloud email archiving service will see emails sent to the service provider’s servers. Even if the email archiving service provider claims they do not access customers’ emails, they would still be classed as business associates and will be required to sign a business associate agreement.

How does an email archive differ from an email backup?

Email backups are short to medium-term data stores that are created for disaster recovery. In the event of data loss, such as a ransomware attack, backups can be used to restore mailboxes. Email archives are used for long term, low-cost email storage. Email archives can be used to restore mailboxes, but since the emails are indexed, an email archive can be searched, and individual messages can be quickly found and recovered.

Immediate Access

Privacy Policy