Is Email Archival Required by HIPAA?
There is a great deal of confusion and uncertainty here because:
- HIPAA lists many requirements, but does not provide specific instructions on how to implement them. It’s ambiguous, but provides a great deal of flexibility for organizations.
- Email archival adds a fixed cost to any email solution – and everyone prefers to avoid unnecessary costs.
- Many organizations want to do the minimum needed for compliance due to time and budgetary constraints.
In our opinion, email archival is an implicit requirement of HIPAA for all organizations that send ePHI via email. In the next section, we’ll review why.
HIPAA Requirements Related to Email Archival
There are many HIPAA requirements that can be addressed in full or part with email archival. First, let’s describe what we mean by email archival. At LuxSci, email archival services include:
- Copies of all sent and received email are stored in a separate location from offices and regular email servers.
- The archived email cannot be edited or deleted.
- Archived email can be searched, downloaded, and read by both administrators and end users.
- The archived email is kept for a long period of time (e.g. 7 or 10 years).
Next, let’s look at the specific HIPAA requirements that email archival can help address.
HIPAA requires that covered entities and their associates “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.“
If health information is located in an email and the emergency is that your email is down, then how can you access it? Email archival is an inexpensive way to ensure emergency access. It provides access to all of the sent and received email for all employees any time, even if regular email is offline. It is less convenient than using regular email, but in an emergency situation like a ransomware attack or natural disaster, it works.
HIPAA requires that organizations “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.“
HIPAA-compliant email service providers are likely to provide backups of information stored on their servers. But for emails containing PHI stored in offices and on workstations, organizations must create backup copies. Using an email archival service creates backups of all emails that cannot be deleted and are easily accessible.
Disclosure Recording Requirements
Under HIPAA Omnibus, organizations need to keep electronic records of Disclosures of PHI for up to 3 years. A disclosure of PHI can be merely the transmission of that data from the organizations to someone outside of the organization (e.g., another healthcare provider or patient).
Most HIPAA-compliant email providers keep logs that record the transmission of email to and from its servers; however, these will not record the email message contents. If there is ever a legal question about a particular message, it is best if you can report what that message contained. Using an email archival service is the best way to have easily retrievable copies.
HIPAA requires that covered entities keep a wide range of documentation for a long period of time in order to document compliance and to respond to requests. These documents include, but are not limited to:
- Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
- Patient requests: Such as requests for access, amendment, or accountings of PHI disclosures
- Complaints: Documentation related to the handling of patient and/or employee complaints
- Training: Including processes for and content of workforce training
It is likely that many email messages fall into to these categories. Retaining copies of these email messages is required as part of HIPAA documentation rules.
The easiest way to do this is to archive all inbound and outbound email. Relying on individuals to selectively save specific messages is extremely unreliable. Instead, uniform archival provides a consistent way to access these messages and assurance that all potentially important messages are kept.
Separate Email Archival from your Email Service
Many organizations offering email archival provide that service using the same servers and/or software infrastructure used to provide the email service itself. This is not a best practice. If an outage or natural disaster/business continuity event occurs, both email systems could be at risk. In that case, the archives could be inaccessible (or worse, destroyed) at the same time regular email systems are down. This is clearly not good for disaster recovery/business continuity planning.
Instead, separating email archival systems from day-to-day business email is recommended. It is a best practice to use a third-party organization whose software and infrastructure are independent of the email provider’s systems. For example, LuxSci partners with Sonian to provide email archival services for our clients. This means that if a hurricane or fire takes down LuxSci data centers, LuxSci customers will still have access to their email via Sonian. Likewise if Sonian is impacted by a service disruption, customers will not lose access to their LuxSci email.
Do it Yourself Archival: Not Recommended
For cost reasons, some customers decided that they will take care of their email backup requirements themselves using various methods such as:
- Saving copies of all messages to other online email folders in their email accounts
- Downloading copies of all email to the corporate office servers
- Setting up archival systems in each individual user’s email programs
These can all work and can be more affordable than a true email archival solution. Each organization is responsible for choosing the most appropriate way to meet compliance standards. However, organizations should be aware of the possible risks of “doing it yourself” and include them in a yearly HIPAA Risk Assessment:
- If archived email is stored in regular email folders:
- It could be deleted or modified.
- If email goes down or network access is lost, then there is no access to both regular and backup email systems. There is no way to access email in case of an emergency.
- If archived email is stored locally:
- It may be editable by staff.
- Some staff may have access to email and ePHI that they should not.
- If the office is offline (e.g. no power, a fire, etc.) then access to archives may be lost.
- The servers holding archived ePHI need to meet all HIPAA security requirements.
- If individuals are responsible for archiving their own email:
- For large organizations with many employees, detecting misconfigurations can be difficult and could lead to data loss.
- Depending on what solution is used, organizations may not have emergency access to the archived email in the event of an issue with the employee or their hardware. Employees may also have the ability to destroy their archives in some cases.
- Loss of employee devices (e.g., laptops) could result in the loss of both email and archives.
HIPAA is technology-neutral and does not require the use of any specific technology to meet requirements. Email archival is just one way that organizations can meet the emergency access, backup, disclosure, and documentation requirements of HIPAA. If your organization plans on using email to communicate ePHI, we highly recommend investing in email archival. The risks of doing it yourself are just too high. Contact us today to learn more.