Is It Necessary to Archive Emails to Comply with HIPAA?
Email archiving is not required by the Security Standards for the Protection of Electronic Protected Health Information (aka the HIPAA “Security Rule”). However, there are good reasons why it is best for healthcare organizations to look at archiving emails for HIPAA compliance.
According to the Security Rule, healthcare providers need to retain electronic communications that contain PHI for at least six years. For the duration of this period, there must be access and audit controls implemented to secure PHI and prevent inappropriate alteration or deletion.
HIPAA compliant email archiving must have controls to comply with the administrative, technical and physical safety measures as required by the HIPAA Security Rule. Healthcare providers that archive emails to free up space on their internal servers as also implementing another control to help prevent theft of data by dishonest or dissatisfied employees.
What is HIPAA Compliant Email Archiving?
Email archiving solutions generally upload emails to the servers of a service provider, where indexing of the emails happens to allow the archive to be searched. In the process of archiving, the emails are encrypted upon export and during storage which reduces the potential for “man-in-the-middle” attacks and data interception in transit.
Service providers in charge of archiving emails must enforce policies and procedures that impose tight controls over the persons that can access archived emails. There must be auditing systems in place to meet the administrative requirements of the HIPAA Security Rule.
After emails are archived, authorized personnel may look for and retrieve emails as needed to view patient data, to fulfill an audit request made by the Department of Health and Human Services, or to provide email data for legal purposes. Sent email messages may also be retrieved to verify delivery.
What are the Advantages of HIPAA Compliant Email Archiving?
Archiving emails does not only free up useful space on internal servers. There are other advantages of email archiving for organizations in the healthcare sector:
The advanced indexing process catalogs email content, attachments and metadata, which saves time and money whenever data needs to be produced for e-discovery or compliance.
Since email content is located on the servers of service providers, HIPAA compliant email archiving can support a healthcare provider´s Disaster Recovery Plan.
Archiving emails also aids in preventing insider theft of data or user negligence, which are behind about half of breaches of PHI.
Dishonest or dissatisfied employees committing insider data theft is a big concern for healthcare establishments. PHI is a valuable commodity and can be used to get free medical care, create fake identities and commit insurance fraud.
One South Carolina state employee was enticed to commit insider theft in 2012 and forwarded over 228,000 Medicaid recipients’ PHI to his private email account. Thankfully, what he did was detected before damage was caused. Email archiving could have helped to prevent such a major data export.
Consult TitanHQ on Archiving Emails in Compliance with HIPAA
TitanHQ is a top rated provider of online security services for healthcare organizations and has developed a complete cloud-based, HIPAA compliant email archiving solution called ArcTitan. ArcTitan securely archives emails for healthcare organizations which allows authorized users to search, view and access emails safely by using an Outlook email client and web browser.
The ArcTitan email archiving service works well with all primary mail servers and email services, offers full email audit functionality. It is remotely accessible and scalable to more than 60,000 users. ArcTitan is housed on AWS to save internal resources and minimize an organization’s onsite data footprint while ensuring security of the same level as an on premise provider.