HIPAA Compliant Email Archiving

HIPAA Compliant Email Archiving

Archiving Emails in Compliance with HIPAA

The Security Standards for the Protection of Electronic Protected Health Information (the HIPAA “Security Rule”) do not specifically mention email archiving, but there are provisions of the Security Rule that must be considered by HIPAA covered entities and their business associates that relate to email retention so healthcare organizations should consider archiving emails in compliance with HIPAA.

Under the Security Rule, healthcare organizations have to retain electronic communications containing HIPAA policies and procedures. The HIPAA email retention period for these communications is a minimum of six years. During this time, access controls and audit controls have to be implemented to safeguard the integrity of PHI and prevent improper modification or data deletion.

HIPAA compliant email archiving solutions incorporate the necessary controls to adhere to the technical, administrative and physical safeguards of the Security Rule. Furthermore, by archiving emails in compliance with HIPAA, healthcare organizations free up valuable space on their internal servers and help to prevent data destruction by dishonest or disgruntled employees.

How HIPAA Compliant Email Archiving Works

Email archiving solutions typically export emails to a service providers’ servers, where they are indexed to allow quick and easy search and retrieval. For HIPAA compliant email archiving, emails should be encrypted during export, storage and retrieval in order to protect the confidentiality and integrity of emails and any PHI they contain. If there is not end-to-end encryption, it opens up the possibility of a “man-in-the-middle” attack where data could be intercepted and viewed, and potentially altered.

Service providers responsible for archiving emails in compliance with HIPAA have to implement policies and procedures that enforce strict controls over who has access to archived emails. Auditing mechanisms must also be put in place to satisfy the requirements of the administrative safeguards of the HIPAA Security Rule.

Once archived in accordance with your HIPAA email retention policy, authorized personnel can search for and retrieve emails as necessary in order to extract data about a patient, support litigation or comply with an audit request from the Department of Health and Human Services. Sent emails can also be recovered to confirm proof of delivery.

The Benefits of HIPAA Compliant Email Archiving

Archiving emails in compliance with HIPAA not only releases valuable space on internal servers, but also offers other benefits for organizations in the healthcare industry:

  • The sophisticated indexing process catalogs email content, metadata and attachments in order to save time and money when data is required for e-discovery or compliance purposes.
  • Due to being stored on service providers’ servers, HIPAA compliant email archiving can be included as part of a healthcare organization´s Disaster Recovery Plan. In the event of a ransomware attack or other catastrophic event that corrupts email data, emails and attachments can be recovered from the archive.
  • Archiving emails in compliance with HIPAA also helps to prevent insider data theft or data loss due to user negligence – Which are behind around half of all data breaches.

Indeed, insider data theft by dishonest or disgruntled employees is a major concern for many healthcare organizations. The value of PHI on the black market is considerable due to the opportunities to obtain free medical care, commit identity theft, or insurance fraud.

The temptation proved too much for one South Carolina state employee who – in 2012 – forwarded the PHI of more than 228,000 Medicaid recipients to his personal email account. Fortunately his actions were detected before any damage was done; but how many other healthcare employees may violated HIPAA and stolen data in this way without being found out?

Email Archiving Compliance in the United States

In addition to the HIPAA email archiving requirements, there are email archiving compliance laws at the state level, and other federal laws that may apply to healthcare organizations that have have provisions covering email retention. The table below details some of the other minimum retention periods for email.

Legislation Applies to Minimum Email Retention Period
Internal Revenue Service Regulations All companies 7 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products 5 years to 35 years
Payment Card Industry Data Security Standard (PCI DSS) Credit card companies and credit card processing organizations 1 Year

Speak with TitanHQ About Email Archiving Compliance

TitanHQ is a leading provider of online security solutions for the healthcare industry and, in ArcTitan, the company offers a complete cloud-based, HIPAA compliant email archiving solution. ArcTitan archives healthcare organization’s emails securely, with authorized users able to safely search, view and retrieve emails via an Outlook email client or any web browser.

The solution for archiving emails in compliance with HIPAA is compatible with all major mail servers and email services, includes full email audit functionality, can be accessed remotely, and is scalable to over 60,000 users. ArcTitan is deployed on AWS to spare internal resources and reduce an organization’s onsite data footprint while guaranteeing the same level of security as an on premise solution.