Email Archiving and HIPAA Compliance

Though HIPAA compliant email archiving is not obligatory under the Security Standards for the Protection of Electronic Protected Health Information (the HIPAA “Security Rule”), there are genuine reasons why healthcare groups should consider archiving emails in compliance with HIPAA.

As per the Security Rule, healthcare groups have to keep electronic communications containing PHI for a minimum of six years. During this period of time, access controls and audit controls have to be set up to safeguard the integrity of PHI and stop its improper modification or deletion.

HIPAA compliant email archiving has the required controls to adhere to the technical, administrative and physical security measure of the Security Rule. Furthermore, by archiving emails in compliance with HIPAA, healthcare groups free up valuable space on their internal servers and help to stop data theft by dishonest or disgruntled employees.

HIPAA Compliant Email Archiving Explained

Email archiving solutions normally export emails to a service providers´ servers, where they are indexed for search and retrieval. HIPAA compliant email archiving differs in that emails are encrypted during export, storage and retrieval in order to safeguard the integrity of PHI and stop “man-in-the-middle” attacks.

Service suppliers are charged with archiving emails in compliance with HIPAA have to implement policies and procedures that enforce strict controls over who has access to archived emails. Auditing mechanisms must also be implemented to satisfy the requirements of the administrative safeguards of the HIPAA Security Rule.

After being archived, authorized personnel can search for and retrieve emails as necessary in order to download data about a patient, support litigation or comply with an audit request from the Department of Health and Human Services. Sent emails can also be retrieved to confirm proof of delivery.

The Advantages of HIPAA Compliant Email Archiving

Archiving emails in line with HIPAA not only frees valuable space on internal servers, but also offers other benefits for group in the healthcare sector:

• The complex indexing process catalogs email content, metadata and files in order to save time and money when data is necessary for e-discovery or compliance purposes.
• Due to being managed on service providers´ servers, HIPAA compliant email archiving can be included as part of a healthcare group’s Disaster Recovery Plan.
• Archiving emails in line with HIPAA also helps to stop insider data theft or user negligence – these two factors being held responsible for almost 50% of PHI violations.

Interestingly, insider data theft by dishonest or disgruntled employees is a major issue for many healthcare groups. The worth of PHI on the black market is considerable due to the opportunities to obtain free medical care, create spoof identities and commit insurance fraud.

The temptation was too much for one South Carolina state member of staff who – in 2012 – shared the PHI of more than 228,000 Medicaid recipients to his personal email account. Fortunately his activity was detected prior to any damage being caused; but how many other healthcare employees may have conducted the same breaches of PHI without being found out?

Talk with TitanHQ about Archiving Emails in line with HIPAA

TitanHQ is a chief provider of online security solutions for the healthcare sector and, in ArcTitan, we are able to provide a complete cloud-based, HIPAA compliant email archiving solution. ArcTitan archives healthcare group’s emails securely, with authorized users could safely search, view and retrieve emails via an Outlook email client or any web browser.

Our solution for archiving emails in line with HIPAA is compatible with all leading mail servers and email services, includes full email audit functionality, can be logged onto remotely and is scalable to over 60,000 individuals. ArcTitan is deployed on AWS to spare internal resources and reduce group’s onsite data footprint while guaranteeing the exact same level of security as an on premise solution.