Print
Written by Michael A. Alicea Michael A. Alicea
Category: Secure Messaging Blog Secure Messaging Blog

The question of does HIPAA require email archiving

The answer is, YES. The archiving of emails is required to be HIPAA compliant. Well, it’s sort of required. Actually yes, yes it is.

Long story - longer, HIPAA sometimes isn't as specific as we all would like. What makes HIPAA flexible sometimes also makes it difficult to know exactly what is expected of a covered entity. Few have given thought to HIPAA and email archiving because it's not specifically mentioned in the HIPAA regulations and unless you employ a compliance officer, most people with HIPAA responsibilities want to get the compliance program done as quickly as possible without reading too much into the regulations. Even if you want to make the best effort possible, unless you have an IT background or are doing the compliance process as part of a team with IT input, you probably don’t even think about the implications of not archiving emails.

This compliance component becomes easier if you use a business class email system because email archiving is probably built-in.

data center 1524794528 b

What to look for in a provider

  • All transmitted emails have multiple copies which are stored separately from your day-to-day email systems and are housed in a different location. These will be the "archives".
  • These copies - “the archives” - cannot be deleted or altered.
  • The messages in the archives are kept indefinitely and as needed per the company's data destruction policies.
  • The archives have search functionality along with the ability to download individual emails.

 

HIPAA’s Requirements and Email Archiving

Archiving is a requirement that's implied for entities that transmit protected health information (PHI) via email. The answer to “what you talking about” can be found by looking at the HIPAA regulations carefully, and completely understanding the requirements. Always consult a healthcare attorney for absolute guidance and opinions about your specific situation.

HIPAA's Emergency access procedure requirement

HIPAA Technical safeguard 45 CFR § 164.312(a)(2)(ii) which mandates implementation states that you will “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.“

If urgently needed data is in an email and the email system is unavailable, then you have a problem. The email archives to the rescue. You can access previously transmitted information at any time.

HIPAA's Data backup and storage requirements

HIPAA’s Administrative safeguard Data backup plan 45 CFR 164.308(a)(7)(ii)(A) which mandates implementation states that you will “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”

HIPAA’s Physical safeguard Data backup and storage 45 CFR § 164.310(d)(2)(iv) which has some flexibility on how it’s addressed states that you will “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.“

If your email provider is truly HIPAA compliant, you are in good shape as they will be doing this as required. However, if your organization is using an email product where the information is stored locally on a PC or on a local server which fails or is stored with a provider which is not well versed on HIPAA, you have to ensure these backups are being done if they contain operational PHI. In these scenarios, archiving is even more important than ever.

HIPAA's Right to an accounting of disclosures requirement

HIPAA’s Accounting of disclosures of protected health information 45 CFR § 164.528 states that individuals have a right to receive an accounting of certain disclosures of PHI made in the six years prior to the date on which the accounting is requested.

Email archives will allow you retrieve copies of messages in the event of an audit or a breach investigation and will show that a particular message contained PHI or didn't contain PHI.

HIPAA's documentation requirements:

Documents which contain PHI or policies that govern the company’s uses and disclosures of PHI should be stored for a period of 6 years. Items include:

Policy or procedural documentation - Including notices of privacy practices, consents, authorizations and other standard forms

Patient requests - Such as requests for access, amendment or accounting of PHI disclosures

Complaints - Documentation related to the handling of patient and/or employee complaints

Training - Including processes for and content of workforce training

There may be email communications that deal with these categories. If so or you are not sure, copies of these messages should be stored and retained in accordance with HIPAA’s documentation requirements. The easiest way to do this is to automatically archive all emails.

You can try to rely on users to save specific emails but this expectation is unreasonable and unreliable. An automated storage system ensures that all important emails are secure.

Separate Email Archives from your Email Service

servers 1307420 b

Many companies providing archiving services either included or as an option with their email services, use the same equipment for both operations. This works fine until something happens to the equipment and you happen to need urgent access to the archives. This is very likely to occur if your business and the data center are in the same geographical area. For example, when a hurricane in 2017 did devastating damage to the whole island of Puerto Rico, businesses with backup data centers outside of Puerto Rico fared the best. Consider that in a best-case scenario, your stored emails are simply not accessible. In a worst-case scenario, your archives are irretrievably damaged - including your company's day-to-day emails. From a business continuity and disaster recovery planning standpoint, this does not work.

For properly managing the risk of inaccessible archives, ensure your stored messages are being done by a company whose messaging storage systems are completely separate, apart and away from the system used for your regular emails.

For our customers, CecureCend handles all of this. We have partnerships with world-class email archiving services providers. Our message archiving services customers have a proper setup in place. Our customers can be assured that any internal problems with one system does not affect the other.

Do not try this at home

Doing archiving yourself is really not advised. Some organizations decide that to save money, they will handle backing up emails on their own. Again, this is not recommended.

Strategies such as attempts at copying and saving all messages to other systems like user’s local email accounts, downloading messages to local machines, or establishing processes for each user mailbox separately, can work and will undoubtedly be inexpensive when compared to a business class archiving platform. When working as a stand-alone operation, your company is ultimately and solely responsible for compliance so the in-house method may make sense. When you have affiliates and business associates, contractually, you may need to demonstrate that a more robust solution is in place.

From a compliance standpoint, as long as you've identified the potential risks of an in-house solution and have documented how each risk has been addressed in your periodic risk assessment, you may be ok. When assessing the solution, key risks to consider are:

server patch panel 1924971 b
  • Are the messages vulnerable to being deleted or altered?
  • If your email servers go down, will you lose access to all your messages - day-to-day emails and the backup copies.
  • Is your internal email storage secure? Is it vulnerable to damage or theft?
  • Are there workforce members with access to email servers and the accounts they contain? Keep in mind, you now have a whole other set of HIPAA compliance requirements with regards to managing this equipment.
  • If your facility loses power or requires evacuation, are your emails inaccessible including all backup copies? 
  • For medium/large organization, the greater the size of the workforce, the greater the likelihood that something may occur to an account where some or all messages are not being stored correctly or may need very specific recovery.
  • Are workforce member able to either by accident or on purpose, to delete some or all their emails and/or the archives? 
  • If a portable device like a laptop is lost or stolen, could significant emails be lost and/or does the possibility of a breach exist?

Conclusion

In summary, the answer to the question of whether there are provisions in HIPAA with specific regards to the retaining and/or archiving of e-mail messages is, HIPAA doesn't specifically speak to the archiving of emails. It simply expects you to have the needed PHI when it’s required whether the information is in emails or not.

Also, keep in mind as stated earlier, there is a six-year retention requirement for documentation including your privacy and security policies, procedures, documentation of complaints, etc. This is for reference purposes when needed and to help with audits, complaint investigations, and so on. As always, there is much room for interpretation, but at the end of the day, the possibility always exists that email messages may fall under an audit request especially if updates to documents were included in email messages but never incorporated into the actual final documents.

Considering keeping copies of all email messages doesn’t sound like it’s going to be easy but it doesn’t have to be a difficult task either but it can be in your company’s best interest to have an email archive. This will ultimately have to be a risk assessment component and a business decision made by your company’s leadership and its legal counsel.

Images: StockUnlimited