Is HIPAA Compliant Email Archiving a Requirement?

Is It Necessary to Archive Emails to Comply with HIPAA?

Email archiving is not required by the Security Standards for the Protection of Electronic Protected Health Information (aka the HIPAA “Security Rule”). However, there are good reasons why it is best for healthcare organizations to look at archiving emails for HIPAA compliance.

According to the Security Rule, healthcare providers need to retain electronic communications that contain PHI for at least six years. For the duration of this period, there must be access and audit controls implemented to secure PHI and prevent inappropriate alteration or deletion.

HIPAA compliant email archiving must have controls to comply with the administrative, technical and physical safety measures as required by the HIPAA Security Rule. Healthcare providers that archive emails to free up space on their internal servers as also implementing another control to help prevent theft of data by dishonest or dissatisfied employees.

What is HIPAA Compliant Email Archiving?

Email archiving solutions generally upload emails to the servers of a service provider, where indexing of the emails happens to allow the archive to be searched. In the process of archiving, the emails are encrypted upon export and during storage which reduces the potential for “man-in-the-middle” attacks and data interception in transit.

Service providers in charge of archiving emails must enforce policies and procedures that impose tight controls over the persons that can access archived emails. There must be auditing systems in place to meet the administrative requirements of the HIPAA Security Rule.

After emails are archived, authorized personnel may look for and retrieve emails as needed to view patient data, to fulfill an audit request made by the Department of Health and Human Services, or to provide email data for legal purposes. Sent email messages may also be retrieved to verify delivery.

What are the Advantages of HIPAA Compliant Email Archiving?

Archiving emails does not only free up useful space on internal servers. There are other advantages of email archiving for organizations in the healthcare sector:

The advanced indexing process catalogs email content, attachments and metadata, which saves time and money whenever data needs to be produced for e-discovery or compliance.

Since email content is located on the servers of service providers, HIPAA compliant email archiving can support a healthcare provider´s Disaster Recovery Plan.

Archiving emails also aids in preventing insider theft of data or user negligence, which are behind about half of breaches of PHI.

Dishonest or dissatisfied employees committing insider data theft is a big concern for healthcare establishments. PHI is a valuable commodity and can be used to get free medical care, create fake identities and commit insurance fraud.

One South Carolina state employee was enticed to commit insider theft in 2012 and forwarded over 228,000 Medicaid recipients’ PHI to his private email account. Thankfully, what he did was detected before damage was caused. Email archiving could have helped to prevent such a major data export.

Consult TitanHQ on Archiving Emails in Compliance with HIPAA

TitanHQ is a top rated provider of online security services for healthcare organizations and has developed a complete cloud-based, HIPAA compliant email archiving solution called ArcTitan. ArcTitan securely archives emails for healthcare organizations which allows authorized users to search, view and access emails safely by using an Outlook email client and web browser.

The ArcTitan email archiving service works well with all primary mail servers and email services, offers full email audit functionality. It is remotely accessible and scalable to more than 60,000 users. ArcTitan is housed on AWS to save internal resources and minimize an organization’s onsite data footprint while ensuring security of the same level as an on premise provider.


Is Gmail HIPAA compliant?

The free-to-use version of Gmail is only intended for consumer use and is not HIPAA compliant. Google will sign a business associate agreement that covers G Suite, which includes Gmail, which can be made HIPAA compliant; however, even this paid business email service is not HIPAA compliant by default. If sending emails containing PHI externally, you would need to use a third-party email encryption service.

Can protected health information be sent via email?

HIPAA does not prohibit the sending of protected health information via email, but the HIPAA Security Rule requires safeguards to be implemented to prevent unauthorized access. If emails are sent beyond the protection of a firewall, emails should be encrypted to prevent interception and ensure the confidentiality, integrity, and availability of PHI. Access controls must also be implemented to prevent unauthorized access to mailboxes.

Is Office 365 HIPAA Compliant?

Office 365 email can be used in a HIPAA compliant manner. First, you need to obtain a signed business associate agreement from Microsoft that covers Office 365. Even with the BAA, Office 365 use can violate HIPAA so it is important for policies and procedures to be implemented covering email use. For instance, file names, email subject lines, and message headers are not encrypted, so they must not contain any PHI.

Are all email archives HIPAA compliant?

In order for an email archiving solution to be HIPAA compliant it must satisfy the requirements of the HIPAA Security Rule. All email data must be encrypted at rest and in transit, access controls must prevent unauthorized access, and PHI in emails and attachments must be tamperproof. A signed BAA must also be obtained from the email archiving service provider.

How can I send a HIPAA compliant email?

Before sending any PHI externally via email you must ensure the email is protected in transit, which means implementing end-to-end encryption. Access controls must also be configured to ensure unauthorized individuals cannot access mailboxes, and you need a signed BAA from the email service provider. Email rules must also be followed, such as not including PHI in subject lines.

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: