HIPAA Compliant Email Archiving
HIPAA compliant email archiving is not specifically mentioned in the Security Standards for the Protection of Electronic Protected Health Information (the HIPAA “Security Rule”), but there are provisions of the Security Rule that relate to email retention that must be considered by HIPAA covered entities and their business associates.
Under the Security Rule, healthcare organizations and health plans have to retain electronic communications containing HIPAA policies and procedures. The HIPAA email retention period for these communications is a minimum of six years. During this time, access controls and audit controls have to be implemented to safeguard the integrity of PHI and prevent improper modification or data deletion.
HIPAA compliant email archiving solutions have the necessary controls to adhere to the technical, administrative, and physical safeguards of the Security Rule. Furthermore, by archiving emails in compliance with HIPAA, healthcare organizations free up valuable space on internal servers and help prevent data destruction by dishonest or disgruntled employees or due to a genuine error.
If you are a HIPAA Covered Entity read our recent HIPAA compliant email retention solution review.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HIPAA Email Archiving Requirements
Although there are no specific standards in the Security Rule relating to email archiving, organizations looking at email archiving solutions must consider other requirements of HIPAA – for example, responding to individuals who exercise their Privacy Rule rights to request a copy of their PHI. In such circumstances, copies of PHI have to be provided within 30 days.
Other standards in the Administrative Simplification Provisions require Covered Entities and Business Associates to respond quickly to requests for information from the Department of Health and Human Services for compliance reviews and to resolve payment disagreements, or to appeal against a decision made by the agency.
HIPAA compliant email archiving solutions fulfill the HIPAA email archiving requirements by exporting emails to a service providers’ servers, where they are indexed and deduplicated to allow quick and easy search and retrieval in order to meet the timeframes required by the Privacy Rule and Administrative Simplification Provisions.
How HIPAA Compliant Email Archiving Works
For HIPAA compliant email archiving, emails should be encrypted at the point of export to protect the confidentiality and integrity of emails and any PHI they contain, including email sandboxes. If there is not end-to-end encryption, it opens up the possibility of a “man-in-the-middle” attack where data could be intercepted, viewed, and potentially altered.
Service providers responsible for archiving emails in compliance with HIPAA have to implement policies and procedures that enforce strict controls over who has access to archived emails. Auditing mechanisms must also be put in place to satisfy the requirements of the administrative safeguards of the HIPAA Security Rule.
Once archived in accordance with your HIPAA email retention policy, authorized personnel can search for and retrieve emails as necessary in order to extract data about a patient, support litigation, or comply with an audit request from the Department of Health and Human Services. Sent emails can also be recovered to confirm proof of delivery.
The Benefits of HIPAA Compliant Email Archiving
Archiving emails in compliance with HIPAA not only releases valuable space on internal servers, but also offers other benefits for organizations in the healthcare industry:
- The sophisticated indexing process catalogs email content, metadata and attachments in order to save time and money when data is required for e-discovery or compliance purposes.
- Due to being stored on service providers’ servers, HIPAA compliant email archiving can be included as part of a healthcare organization´s Disaster Recovery Plan. In the event of a ransomware attack or other catastrophic event that corrupts email data, emails and attachments can be recovered from the archive.
- Archiving emails in compliance with HIPAA also helps to prevent insider data theft or data loss due to user negligence – Which are behind around half of all data breaches.
Indeed, insider data theft by dishonest or disgruntled employees is a major concern for many healthcare organizations. The value of PHI on the black market is considerable due to the opportunities to obtain free medical care, and commit identity theft, or insurance fraud.
The temptation proved too much for one South Carolina state employee who – in 2012 – forwarded the PHI of more than 228,000 Medicaid recipients to his personal email account. Fortunately, his actions were detected before any damage was done; but how many other healthcare employees may violated HIPAA and stolen data in this way without being found out?
Email Archiving Compliance in the United States
In addition to the HIPAA email archiving requirements, there are email archiving compliance laws at the state level. Federal laws other than HIPAA may also apply to healthcare organizations and health plans that have provisions covering email retention. The table below details some of the other minimum retention periods for email.
| Legislation | Applies to | Minimum Email Retention Period |
| Internal Revenue Service Regulations | All companies | 7 Years |
| Freedom of Information Act (FOIA) | Federal, state, and local agencies | 3 Years |
| Sarbanes Oxley Act (SOX) | All public companies | 7 Years |
| Food and Drug Administration (FDA) Regulations | Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products | 5 years to 35 years |
| Payment Card Industry Data Security Standard (PCI DSS) | Credit card companies and credit card processing organizations | 1 Year |
FAQs
Does HIPAA require encryption for emails?
HIPAA does not require encryption for emails containing PHI if they are sent internally behind a firewall or if a “reasonable and appropriate” solution is implemented that is at least as effective as encryption. However, due to the volume of encryption software available, it is far simpler for covered entities and business associates to implement email encryption software than an alternative solution – or address the consequences of an avoidable data breach.
Are there any hidden costs with email archiving?
There can be hidden costs with email archiving. For example, some vendors charge according to the storage space used or per mailbox – even if a mailbox is not active. For this reason, it is best to adopt an email archiving solution that deduplicates content before emails are archived and that charges by active mailbox account. All software vendors should be transparent about what their service costs.
Are email archives HIPAA compliant?
Not all email archives are HIPAA compliant because not all email archiving solution providers offer a HIPAA compliant email archiving service. In order to be HIPAA compliant, the solution must meet the requirements of the Security Rule and protect PHI at rest and in transit to prevent unauthorized access. The service provider must also be willing to sign a business associate agreement.
Are cloud email archiving service providers required to sign business associate agreements?
Cloud email archiving service providers are required to sign business associate agreements if the service is going to be used to archive emails containing PHI. Even if the email archiving service provider claims they cannot access customers’ emails because they are encrypted, they would still be classed as business associates “with persistent access to PHI” and will be required to sign a business associate agreement.
How does an email archive differ from an email backup?
An email archive differs from an email backup because email backups are short to medium-term data stores that are created for disaster recovery. In the event of data loss, such as a ransomware attack, backups can be used to restore mailboxes. Email archives are used for long-term, low-cost email storage. Email archives can be used to restore mailboxes, but since the emails are indexed, an email archive can be searched, and individual messages can be quickly found and recovered.
What is a HIPAA email retention policy?
A HIPAA email retention policy is a policy that stipulates how long each type of email should be retained in order to comply with HIPAA. In many cases, a HIPAA email retention policy will be a section of a much larger general email policy that covers retention times for all different types of emails – for example, medical records (retention periods vary), HIPAA documentation, FDA documentation, etc.
Are there healthcare email archiving rules in HIPAA?
There are no healthcare email archiving rules in HIPAA. However, there are standards that apply to all PHI when it is collected, received, maintained, or transmitted by a covered entity or business associate. The standards often apply to many different types of PHI activity, so standards relating to (for example) access controls, encryption, and audit trails will apply to multiple PHI activities – i.e., updating patients’ records on EHRs, password management, and email archiving.
Why is it important to comply with the HIPAA email archiving requirements?
It is important to comply with the HIPAA email archiving requirements to protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of electronic PHI. This means it is not only important to consider the Administrative, Physical, and Technical Safeguards of the Security Rule when evaluating HIPAA compliant email archiving solutions, but also the HIPAA General Rule and Privacy Rule.
Why is HIPAA compliant email archiving necessary?
HIPAA compliant email archiving is not necessary; however, it is an effective way to ensure the integrity of emails containing PHI (when copies are archived as soon as they enter the mail server), prevent data losses due to accidental or malicious deletion, and ensure emails are quickly available when required to activate a contingency plan or to respond to an individual´s access request.
What are the email archiving requirements for health care?
There are no email archiving requirements for health care other than, if a Covered Entity opts to archive emails, the process must be done in compliance with HIPAA. This means that emails containing PHI must be encrypted in transit to the archive server and while at rest in the server. There must also be access controls to manage who can search and retrieve emails, and the email archiving solution must support activity logs and audit trails that report who accessed the archive, when they accessed the archive, and what they did once they were in the archive.
