What is HIPAA Email Archiving Compliance?

HIPAA email archiving compliance is an alternative way to describe HIPAA compliant email archiving. However, there is more than one way to archive emails; and different compliance requirements apply depending on whether emails are archived on-premises, in the cloud via an email service provider, or in the cloud via a third-party service provider.

It is also important to be aware the requirements for HIPAA email archiving compliance only apply to Covered Entities and Business Associates that archive emails containing Protected Health Information (PHI). If an organization does not archive emails containing PHI, HIPAA does not apply to the emails – although other state or federal regulations may, depending on the content of the emails.

On-Premises HIPAA Email Archiving Requirements

For Covered Entities and Business Associates who archive emails on-premises, the HIPAA email archiving requirements are the same as for any other PHI stored on site. All applicable Administrative, Physical, and Technical Safeguards have to implemented, as well as the General Requirements of the Security Rule that require Covered Entities and Business Associates to:

“Protect against any reasonably anticipated uses or disclosures of such information (PHI) that are not permitted or required under subpart E (the Privacy Rule)”.

Because the HIPAA email archiving requirements for organizations that archive emails on-premises are no different from the Safeguards which are (in theory) already in place to ensure the confidentiality, integrity, and availability of electronic PHI, it can be tempting to not bother with an alternate email archiving solution. But there is a problem with that approach. Storage capacity.

The HIPAA documentation retention standard requires covered organizations to retain HIPAA documentation (policies, risk assessments, access reports, audit logs, etc.) for at least six years after the documents were last in use. Depending on the size of the organization and the frequency with which it refreshes policies or conducts risk analyses, there could be a lot of documentation to retain.

HIPAA Email Archiving Compliance in the Cloud

Because of the on-premises storage issue, the cloud can be a cost-effective option for archiving emails. In many cases, Covered Entities and Business Associates may be able to take advantage of cloud-based email archiving services offered by an existing email service provider. This option not only has the advantage of reducing on-premises storage space, but most (reputable) email service providers have Safeguards in place to comply with the Security Rule.

However, there are a few potential issues to consider before using an existing email service provider to archive emails containing PHI. With regards to HIPAA email archiving in the cloud, the provider will need to support “point-of-entry” archiving as each email enters the mail server and end-to-end encryption. This will ensure each email is archived in its original format and there is no possibility of it being tampered with between leaving the mail service and arriving at the archive server.

The Cost of Email Archiving in the Cloud

It is sometimes the case that taking advantage of a cloud-based email archiving service offered by an existing email service provider is not as cost-effective as it may appear. Although an email archiving service is included in many Enterprise Plans, the service may lack the capabilities to meet all HIPAA email archiving requirements. For example, some Microsoft 365 plans with email archiving included lack automatic rules-based retention policies and records management capabilities.

While it is possible to upgrade to an Enterprise Plan that includes the capabilities required for HIPAA email archiving compliance, the cost of upgrading can be as much as $25 per user per month – notwithstanding that some email service providers charge per mailbox rather than per active mailbox and you might incur extra storage charges depending on where archived emails are stored and how frequently they are accessed (i.e., cold storage GET, SELECT, and Retrieval Requests incur charges).

Third Parties and HIPAA Compliant Email Archiving

As an alternative to existing email service providers, it can sometimes be worth evaluating third party service providers. Naturally, it will be necessary to implement a solution from a vendor willing to enter into a Business Associate Agreement, and it can be time-consuming for a Covered Entity to conduct due diligence on yet another service provider. Nonetheless, if you implement a HIPAA compliant email archiving service from a third party, the rewards can justify the extra effort.

Many third party providers offer a fully HIPAA compliant email archiving service for just a couple of dollars per active mailbox per month (costs can vary depending on the number of mailboxes and length of subscription). Thereafter, storage costs are minimized due to a process known as “de-duplication” in which all duplicated content is removed from an email as it is being indexed and archived. Some third party providers also include virus scanning and/or spam protection.

Further benefits of using a third party HIPAA compliant email archiving service is that it can reduce the risk of insider theft, and record tampering, reduce calls to IT Helpdesks to recover lost emails or emails deleted in error, and significantly improve the performance of mail servers – increasing the productivity of end users. As mentioned above, evaluating third party service providers can be time-consuming, but the rewards can justify the extra effort.

What is HIPAA Email Archiving Compliance? FAQs

What are the HIPAA email archiving requirements?

The HIPAA email archiving requirements vary depending on whether you archive emails on-premises, use a cloud-based service offered by an existing email service provider, or implement a third-party email archiving solution. For example, in the first instance, it will not be necessary to enter into a Business Associate Agreement; in the second instance, it may be necessary to amend an existing Business Associate Agreement; and in the third instance it will be necessary to enter into a new Business Associate Agreement.

What is HIPAA compliant email archiving?

HIPAA compliant email archiving is archiving emails in compliance with the standards and implementation specifications of the Security Rule, while also ensuring the availability of emails containing PHI in order to respond to individuals exercising their Privacy Rule rights and HHS compliance investigations.

Why is email archiving needed?

Email archiving is needed by many organizations – not just HIPAA Covered Entities and Business Associates – to free space on mail servers and other storage units. Most organizations are subject to document retention requirements that can exhaust vast amounts of storage capacity. For example, HIPAA Covered Entities are required to retain copies of risk analyses and the documents used to support the analyses for six years. Depending on the frequency and scale of analyses, this can result in thousands of documents being retained to comply with just one HIPAA standard.

What state and federal regulations apply to healthcare emails other than HIPAA?

The state and federal regulations that apply to healthcare emails other than HIPAA can depend on the size of the organization, the number of employees, the nature of the organization’s operations, and the state in which it is located. Typically, IRS and FDA regulations apply to healthcare emails containing financial or pharmaceutical information, while organizations located in certain locations may be required to comply with state data privacy laws if not exempted due to their HIPAA status.

What is healthcare email archiving for e-discovery?

Healthcare email archiving for e-discovery is where emails are archived in a searchable format by healthcare organizations. This enables healthcare organizations to respond to e-discovery requests for electronically stored information within the permitted 30 days. In order to have a searchable archive that guarantees the integrity of email content, emails should be indexed and archived when they first enter the mail server – not a later date when they may have been tampered with.

What is email archiving software for HIPAA covered entities?

Email archiving software for HIPAA covered entities is an application that takes copies of inbound and outbound emails as they enter the mail server. The copies are indexed and stored in read-only format in a non-production environment. Due to the volume of emails that can pass through a healthcare organization´s mail server, email archiving software for HIPAA covered entities also deduplicates the content of the emails and allows system administrators to apply automated rules-based retention policies so that, at the end of the required retention period, emails are automatically deleted.

Are third party email archives HIPAA compliant?

Third party email archives are HIPAA compliant provided they meet the requirements of the Security Rule to ensure the confidentiality, integrity, and availability of electronic PHI. Additionally, HIPAA compliant email archives should have “point-of-entry” archiving capabilities and end-to-end encryption, and the software vendor must be willing to enter into a Business Associate Agreement.

Why must HIPAA email archiving service providers sign Business Associate Agreements?

HIPAA email archiving service providers must sign Business Associate Agreements if the service is going to be used to archive emails containing PHI – even if the emails are secured with end-to-end encryption and the Covered Entity has possession of the decryption key. This is because (according to HHS guidance) HIPAA email archiving service providers have “persistent access” to the emails which qualifies them as a Business Associate.

What is the difference between an email archive and an email backup?

The difference between an email archive and an email backup is that email backups are short to medium-term data stores created for disaster recovery. In the event of data loss attributable to an outage or cybersecurity event, backups can be used to restore mailboxes. By contrast, email archives are long term, low-cost email storage solutions in which each email has been indexed to facilitate searches for, and recoveries of, individual emails or groups of emails pertaining to a specific subject.

What is a HIPAA email retention policy?

A HIPAA email retention policy is a policy that states how long each type of email should be retained to comply with HIPAA retention requirements. Many Covered Entities will have multiple HIPAA email retention policies to cover content with a six year retention period (risk analyses, sanctions policies, breach notifications, etc.), with a ten year retention period (i.e., CMS documentation for Medicare managed care program providers) or with a state-mandated retention period (i.e., medical records).

What are the healthcare email archiving rules in HIPAA?

There are no specific healthcare email archiving rules in HIPAA. However, there are standards in the Privacy and Security Rules that apply to all PHI when it is collected, received, maintained, or transmitted by a Covered Entity or Business Associate, and these standards apply to solutions implemented to archive emails containing PHI. Therefore, healthcare email archiving solutions must support safeguards such as unique user authentication, end-to-end encryption, and audit logs.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA