Must Emails be Archived to Comply with HIPAA?
HIPAA’s Security Rule does not stipulate that email archives must be HIPAA compliant. However, covered entities should consider archiving their email correspondence in a HIPAA compliant manner.
The Security Rule does stipulate that electronic communications that include PHI must be kept for at least six years. These records must be secured through the use of access controls, and audit controls should be in place to prevent changes being made or messages being removed.
HIPAA compliant archiving systems include these safeguards, as well as the other required administrative, technical, and physical protections called for in the Security Rule. As an added benefit, compliant archiving systems can reduce the risk of data theft by internal actors and minimize storage on local servers.
How to Implement HIPAA Compliant Email Archiving
For many industries, email archives are stored on remote servers operated by the service provider and messages are indexed to enable search functions. This is similar for HIPAA compliant archives, except that the protected health information (PHI) is encrypted at every stage to protect against data theft. Archive hosts also have to implement processes to limit access to the archived messages, with auditing functions enabled in-line with HIPAA’s administrative safeguards.
On request, authorized users can search the archive for information on patients, to conduct audits, and to comply with legal requests. Proof of delivery of sent emails can also be found.
The Advantages of HIPAA Compliant Email Archiving
As well as freeing local server space, HIPAA compliant email archiving can provide a range of benefits to covered entities.
- Email indexing catalogs email content, metadata, and attachments to make data retrieval for e-discovery or compliance purposes more efficient.
- As information is stored offsite by a third party, HIPAA compliant email archiving can be included as part of a covered entity’s Disaster Recovery Plan.
- HIPAA compliant archiving helps prevent insider data theft or user negligence – factors responsible for almost 50% of PHI breaches.
Healthcare organizations can be quite vulnerable to data theft by current employees. PHI can be sold for a high price to people looking to commit insurance fraud, forge identities, or access free medical care.
A high profile case occurred in South Carolina in 2012 when a state employee sent PHI belonging to over 200,000 Medicaid beneficiaries to a personal email account. The breach was discovered before the information was shared further, but the incident is a worrisome reminder that not all authorized users act in good faith.
HIPAA Compliant Email Archiving from TitanHQ
One of the leading online security providers for healthcare organizations, TitanHQ provide a HIPAA compliant email archiving solution called ArcTitan. Based in the cloud, ArcTitan allows authorized users to search, access, and retrieve emails using Microsoft Outlook or a web browser of their choice.
The tool incorporates audit functions, allows remote access, and can be used with most mail servers and email clients. ArcTitan works on Amazon Web Services (AWS) and allows access authorization to be given to up to 60,000 users. By using AWS, ArcTitan reduces local storage needs without compromising on security, therefore offering the same or greater peace of mind as on-site storage.