Does HIPAA require email archiving? Well, not specifically. The HIPAA Security Rule requires covered entities and business associates to keep an archive of electronic communications of patient data. Email archiving is one of the ways in which this can be accomplished, and although it is not mandated, it’s a good way to keep records of your email communications.
What is Email Archiving?
What is email archiving? Email archiving is an easy way to store email communications. This is done by converting your emails into searchable data that can be accessed when needed. Email archiving not only preserves the body of an email, but also email attachments and metadata, essentially preserving the integrity of email data. Although email archiving is a form of data backup, it differs from traditional backup solutions as the data stored in email archives is searchable. For instance, if a business was looking for a particular email thread, they could search for that specific email instead of needing to spend the time to manually search for it.
Email archiving providers upload and index clients’ emails to enable the search feature. Also, by using email archiving to store electronic communications, the data is fully encrypted, preventing unauthorized access to sensitive data. Archiving also prevents data from being altered or deleted, which is a HIPAA Security Rule requirement.
Generally, businesses contract a third-party provider to create and maintain their email archives. The emails can then be moved off the business’s server, and stored on the third-party providers server. However, even though the data is no longer stored on the business’s server, designated administrators from the business can still access and search the data.
What is HIPAA Compliant Email Archiving?
HIPAA compliance email archiving requirements, well really HIPAA electronic data retention requirements, state that healthcare organizations must keep data for at least six years. Throughout this six year period, access controls must be enabled to prevent unauthorized access to data, and audit controls must be in place to track data access. By having email archiving compliance requirements, the confidentiality, integrity, and availability of protected health information (PHI) is preserved.
Although HIPAA doesn’t require email archiving, there is still such a thing as HIPAA compliant email archiving. This is because healthcare organizations will most likely contract a software provider to convert and maintain their files. As such, email archiving providers that work with healthcare clients are considered business associates under HIPAA.
Since they are classified as business associates, there are certain things that make up a HIPAA compliant email archiving solution. This includes the safeguards the provider has in place to protect their clients’ data, and the willingness to sign a business associate agreement. Providers that are unwilling or unable to sign a business associate agreement should not be chosen to manage HIPAA compliance email archiving for healthcare entities.
Additional Benefits of Email Archiving
We already mentioned that HIPAA compliance email archiving offers searchable data storage, and that encryption keeps the data secure, but there are some other important benefits of HIPAA email archiving.
Business Continuity and Disaster Recovery.
HIPAA requires businesses to implement business continuity and disaster recovery plans to minimize downtime during a breach or natural disaster. HIPAA compliance email archiving meets the data backup requirement of business continuity and disaster recovery, as exact data copies are stored on an offsite server.
Rapid Audit Response.
As all email communications are stored and searchable from a centralized location, providing communication records in the event of an audit is easier.
PHI Disposal.
As previously mentioned, HIPAA requires data to be retained for six years. After this period, the PHI should be disposed of. Email archiving automates the process of doing so.