While email retention is not specifically mentioned in the HIPAA text, certain provisions cover data retention and backup, which apply to protected health information and HIPAA documentation, regardless of where that information is stored, including in email accounts. Healthcare organizations that do not have a HIPAA email retention policy are potentially at risk of noncompliance.
Why is a HIPAA Email Retention Policy Important?
HIPAA requires covered entities and their business associates to retain all documents related to security, privacy policies, and procedures for a period of at least six years from the date the document is created or the date when it was last in effect – whichever is later.
Typically for most covered entities, the documentation that must be retained includes:
- Information security policies and practices
- Risk analyses
- Notices of privacy practices
- Patient authorizations
- Business associate agreements
- Access logs
- IT security reviews and other IT security-related documents
- Employee sanction policies
- Breach notifications
- Complaint and resolution documents
- Training documents
- Patient requests
- Policies and procedural documentation.
Covered entities and business associates must also ensure documentation and PHI is backed up and that a retrievable, exact copy of electronic protected health information exists.
A HIPAA email retention policy should be developed that requires all the above documentation to be retained for 6 years or more to meet HIPAA requirements. An email archive can also help satisfy HIPAA backup requirements, meet state documentation and PHI retention laws, and an email archive is also incredibly valuable when dealing with complaints and e-discovery.
HIPAA Compliant Email Archiving
It is strongly recommended that you develop a HIPAA email retention policy and implement an email archiving solution with a HIPAA compliant email archiving company.
A HIPAA compliant email archiving solution, such as ArcTitan, is the ideal solution for healthcare organizations to help them meet state and federal data retention requirements. The solution can be used to store business-related emails which must be retained to comply with state laws, but it will also ensure that any PHI contained in emails is stored securely in compliance with the HIPAA Security Rule.
A HIPAA compliant email archive captures and retains all emails that are sent or received, the archive is searchable to allow quick retrieval of email data when required, email data is preserved in its original format and is tamper-proof, audit logs are maintained, and controls can be implemented to restrict access to authorized individuals only.
The email archive also serves as a data loss prevention tool and safeguards the confidentiality, integrity, and availability of PHI and HIPAA documents sent via email.
HIPAA Email Retention Policy FAQs
Do emails need to be encrypted to comply with HIPAA?
The encryption of ePHI is an addressable requirement of the HIPAA Security Rule. This means that emails containing ePHI should be encrypted unless a covered entity implement an equally effective security measure or can demonstrate that encryption is not necessary – for example, if the email server is only used for sending internal emails and is protected by a firewall.
How does archiving emails differ from backing up emails?
Email backups are short to medium-term data stores that are created for disaster recovery. In the event of data loss, such as a ransomware attack, backups can be used to restore mailboxes. Email archives are used for long term, low-cost email storage. Email archives can be used to restore mailboxes, but since the emails are indexed, an email archive can be searched so that individual messages can be quickly found and recovered.
Are email archiving solutions HIPAA compliant?
No technology is HIPAA compliant – it is how the technology is used that determines compliance. To support HIPAA compliance, it is necessary for email archiving solutions to have mechanisms in place that meet the Technical Safeguards of the Security Rule. It may also be necessary for the vendor of the email archiving solution to sign a Business Associate Agreement (BAA).
When are vendors of email archiving solutions required to sign a BAA?
If the vendor or any employee of the vendor (i.e., a software engineer) has access to emails containing ePHI, the vendor will be required to sign a BAA. Therefore, if a hardware solution is deployed on-premises and maintained by the covered entity, no BAA is necessary. However, if the covered entity chooses to archive emails in a cloud-based solution, a BAA will be necessary with either the cloud service provider or third-party service provider if using a SaaS solution.
What is the cost of HIPAA-compliant email archiving?
The cost of HIPAA-compliant email archiving varies considerably depending on the type of solution deployed. Furthermore, hardware-based email archiving solutions will likely involve capital expenditures, while software-based solutions (including cloud-based solutions) will solely involve operating expenditures. Software and cloud-based solutions are usually billed “per mailbox”, but there may also be costs associated with storage space and maintenance contracts.