Email Archival is Required by HIPAA
There is a great deal of confusion and uncertainty here because:
- HIPAA by its nature is vague, listing many things that you need to do, but not saying how. This makes things flexible and workable, if ambiguous.
- Email Archival generally adds cost to any email solution — and everyone prefers to avoid unnecessary costs.
- Most want to do the minimum needed for compliance due to time and budgetary constraints.
In our opinion, Email Archival is an implicit requirement of HIPAA for all organizations that utilize email for the sending or receipt of ePHI should invest in. In the next section, we’ll review why.
HIPAA Requirements related to Email Archival
There are many requirements of HIPAA that are well addressed in full or part by a real Email Archival system. E.g. one where:
- Copies of all sent and received email are kept in a separate location from your offices and your regular email servers.
- The archived email cannot be edited or deleted.
- The archived email can be searched, downloaded, and read by both administrators and end users.
- The archived email is kept and immutable for a long period if time (e.g. 7 or 10 years … for “forever”).
HIPAA requires that you “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.“
If this health information is in the form of email and the emergency is that your email is down, then how are you going to have Emergency Access? Email Archival is an inexpensive way to achieve exactly that — access to all of the historical sent and received email for all of your staff any time, even if your regular email is offline. It is less convenient than using your regular email, but it does provide access when needed.
HIPAA requires that you “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.“
For email stored on your HIPAA-compliant email service provider’s servers, they will take care of this for you. But for PHI in email stored in your offices and on workstations, this means that you need backup copies of all of that email. Email Archival ensures that you have backup, that it cannot be deleted, and that you know how to get at your backup easily.
Disclosure Recording Requirements
Under HIPAA Omnibus, you need to keep electronic records of Disclosures of PHI for up to 3 years. A Disclosure of PHI can be merely the transmission of that data from you to someone outside of your organization (e.g., another healthcare provider or patient).
Your HIPAA-compliant email provider likely keeps logs that record the transmission of email to and from its servers; however, these will not record the content of these email messages. If there is ever any question about a particular message, it is best if you can report what that message contained. The ideal way to do that is to have all such messages archived so you can retrieve copies for legal audit reasons at any time (HIPAA-related or not).
HIPAA requires that covered entities keep a wide range of documentation for a long period of time in order to document compliance and to respond to requests. These things include, but are not limited to:
- Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
- Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
- Complaints: Documentation related to the handling of patient and/or employee complaints
- Training: Including processes for and content of workforce training
Probably many email messages are sent that pertain to these categories and as such, copies of these email messages should be retained as part of the HIPAA documentation requirement.
The surest way to do this is to archive all inbound and outbound email. Relying on individuals to selectively save specific messages is extremely unreliable; uniform archival provides a uniform way to access these messages and a uniform assurance that all possible important messages are kept.
Separate Email Archival from your Email Service
Many organizations offering email archival provide that service using the same server and/or software infrastructure used to provide the email service itself. This is all well and good until there is a an outage or a disaster/business continuity event. In that case, your archives could be inaccessible (or worse, destroyed) at the same time as your regular email. This is clearly not good for you own disaster recovery / business continuity planning.
It is a best practice to make sure that your email archives are performed by an third party organization whose software and infrastructure and independent of your email provider’s systems. LuxSci takes care of this for its customers; we have a significant partnership relationship with Sonian, a best-in-class email archival service provider. All customers of purchasing email archival from LuxSci have their archives with Sonian. They are safe from any issues with LuxSci and their LuxSci email is safe from any issues with Sonian.
Do it Yourself Archival: Not Recommended
Some customers decide, for cost reasons, that they will take care of their email backup requirements themselves using various methods such as:
- Saving copies of all messages to other online email folders in their email accounts
- Downloading copies of all email to the corporate office where they are somehow stored
- Setting up archival systems in each individual user’s email programs
These can all work and can be more affordable than a real Email Archival solution. And, as your organization is responsible for choosing the best and most appropriate method of compliance for yourself, this may be the way you choose to go (which is why, for example, LuxSci does not force its HIPAA email customers purchase Email Archival).
However, be aware of the possible risks if you “do it yourself” and include them in your yearly HIPAA Risk Assessment:
- If your archived email is stored in regular email folders:
- It could be deleted or modified.
- If your goes email is down or your lose network access to your email, then you have lost access to all email — regular and backup. You have no emergency access in this case.
- If your archived email is stored in your office:
- It may be editable by some of your staff.
- Some staff may have access to email that they perhaps should not.
- If your office is offline (e.g. no power, a fire, etc.) then you may lose access to your archives.
- The servers holding archived ePHI need to meet all HIPAA security requirements.
- If individuals are responsible for archiving their own email:
- The more staff you have, the more likely that something is misconfigured (now or later) and not all email is being archived.
- Depending on what solution you use, you may not have emergency access to the archived email in the event of an issue with the employee or their hardware. Employees may also have the ability to destroy their archives in some cases.
- Loss of employee devices (e.g., laptops) could result in the loss of both email and archives.
- Email Backup or Archival? What’s the Difference?
- A Comparison of Email Backup Policy of Popular Email Services
- 7 Steps to Make your Web Site HIPAA-Secure
- Are you Prepared for Disaster? Business Continuity Planning for Email Outages
- Can you access copies of all email messages sent and received by your employees?