Email archiving and HIPAA compliance

October 5, 2020

Make sure email is a part of your cybersecurity strategy.

Email archiving is an automated process for preserving and protecting all inbound and outbound email messages (as well as attachments and metadata) so they can be accessed later. In other words, email archiving is storing emails and making them searchable.

Email archiving providers take this burden off organizations by storing emails on their servers while making them accessible to designated administrators in the organization. This is different than simply creating an email data backup. Data backups do not allow searching, so if a particular email needs to be found, it might take weeks for you to find it.

Is email archiving required for HIPAA compliance?

HIPAA delineates what covered entities need to do to maintain compliance, but it does not provide specific guidelines about how to do it. Email archiving is not explicitly mentioned anywhere in the regulations.

Under the HIPAA Security Rule, healthcare organizations have to retain electronic communications data for a minimum of six years. During this time, access and audit controls must be implemented to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) to comply with the risk analysis requirements of the Security Rule and prevent improper data modification or deletion.

Email archiving is an effective way to accomplish these HIPAA requirements.

How does email archiving work?

Email archiving solutions generally upload emails to the provider’s servers, where the emails are indexed to allow the archive to be searched. The emails are encrypted which reduces the potential for “man-in-the-middle” attacks where data is intercepted in transit.

Since the archived emails cannot be edited or deleted, they are also tamper-proof.

Service providers impose tight controls over who can access archived emails to view patient data, fulfill an audit request made by the Department of Health and Human Services (HHS), or provide email content for legal purposes.

Email archiving and eDiscovery

Electronic discovery, better known as eDiscovery, is the process in which electronically stored information (ESI) is requested, searched, located, and produced with the intent of using it in a court case as evidence, for government investigations, or as part of a Freedom of Information Act request.

If your healthcare business must conduct an audit for eDiscovery purposes, the search capabilities of an email archiver make this a vastly easier, faster, and more comprehensive process.

In addition, emails contain metadata (e.g. information about the device used to send a message or the date and time an email was sent) that is a vital part of legal evidence.

Benefits of email archiving

There are many benefits to email archiving for your healthcare business. Here are a few of the main ones.

  • Easy storage management. Covered entities reduce their server load by allowing an email archiving providerto archive and store their emails.
  • Business continuity. Email archiving preserves the intellectual property contained in business email and its attachments. It also eases the burden on an IT department to find lost emails.
  • Part of disaster recovery plan. Because the data is stored on a service providers’ servers, email archiving can be part of a healthcare organization's disaster recovery plan. In the event of a ransomware attack or other catastrophic event that corrupts email data, emails and attachments can be recovered from the archive.
  • Data theft prevention. Archiving emails also helps to prevent insider data theft or destruction by dishonest or disgruntled employees because you always have a backup in the archive.
  • Accelerated audit response. Retaining searchable emails and attachments from all staff members means that if there is ever litigation, it will be much easier to find and produce the required emails.
  • Disposal of PHI. In addition to privacy protection, HIPAA also features strict guidelines on how to dispose of PHI. Email archiving offers automated email retention in one centralized place. This is crucial, especially seeing as most companies have multiple departments and multiple users who are responsible for disposing of emails.

Conclusion

Email archiving is a cost-efficient safeguard that is easy to use across multiple office locations and protects both your company and patients from concerns over access, integrity, and content security issues.