The Ultimate Guide to HIPAA Compliant Email Archiving and Retention Policies

HIPAA, or the Health Insurance Portability and Accountability Act, is legislation that was passed in 1996 and set strict requirements for how healthcare organizations (also referred to as “covered entities”) — and their associates — must handle patients’ protected health information (PHI).

Within HIPAA, there are five different sections (or titles) that cover everything from health insurance reform to tax-related health provisions. Though each contains valuable stipulations, it’s usually Title II that’s referred to when talking about “HIPAA compliance” in the context of the facilities that provide healthcare services. Title II, officially known as HIPAA Administrative Simplification, includes several provisions that focus on electronic communication and preventing fraud and abuse, including the:

• HIPAA Privacy Rule — Protects patients’ medical records and other PHI by establishing strict rules that dictate how it can be shared without the patient’s consent. This rule also gives patients certain rights over their PHI.

• HIPAA Security Rule — Ensures that confidentiality is maintained when electronic PHI is “created, received, used, or maintained by a covered entity.”

• Breach Notification Rule — Requires healthcare organizations that handle PHI to disclose when breaches of sensitive PHI data occur.

• HIPAA Omnibus Rule — A modification to HIPAA passed in 2013 that strengthened its protections by making business associates of covered entities liable for HIPAA violations, further limiting the uses and disclosures of PHI, and much more.

Under HIPAA, email communications that contain PHI are subject to both the Privacy Rule and Security Rule. The Privacy Rule limits email access to only authorized individuals for essential purposes, while the Security Rule dictates how these emails are to be protected against unauthorized access and security breaches.

It’s important to keep these guidelines in mind when formulating, implementing and adhering to a HIPAA-compliant email archiving policy. This way, you’ll be better equipped to avoid violations and the costly penalties and reputational damage that come with them.

When it comes time to develop an email archiving policy for your healthcare organization, you’ll need to take the following considerations into account to ensure that its protocols and practices are in line with HIPAA’s guidelines.

• Retention Periods — According to HIPAA’s electronic data retention rules, healthcare organizations must hold onto records of their data (including email data) for at least six years, during which time sufficient access and audit controls must be in place.

• Business Associates — If you partner with a software provider to archive your files, such as sensitive email correspondences, that provider is considered your business associate under HIPAA, making them responsible for maintaining compliance as well.

• Email Protection — Your healthcare organization must ensure that sufficient safeguards are put into place to protect stored email data, including administrative, physical and technical measures.

For healthcare providers and facilities that handle PHI, maintaining HIPAA compliance should always be top of mind when making decisions, including when looking for an email archiving partner. As the chosen company will be trusted with patients’ PHI, becoming a business associate under HIPAA rules, they should be prepared and willing to sign a business associate agreement (BAA). This legally binding contract ensures that the business associate will protect the PHI in their possession according to HIPAA’s rules and standards. If a potential archiving partner hesitates or is unwilling to sign a BAA, it’s in your best interest to pursue other candidates.

In terms of the archiving software itself, there are certain capabilities a solution needs in order to best support HIPAA email archiving requirements. All archiving solutions for healthcare must have:

• Real-time archiving for both incoming and outgoing messages to ensure all communications are accounted for.

• Redaction tools to keep sensitive and identifying patient information private.

• Powerful, intuitive search functionality that enables quick and easy retrieval of specific email messages.

• Role-based permissions and end-user authentication to make certain that only properly authorized individuals are able to access sensitive patient information.

• The ability to set granular and flexible retention policies, ensuring that different records are held for the required amount of time and only removed once their retention periods have expired.
• Data backup and disaster recovery to safeguard against data loss or corruption and provide a way to completely restore your archive should the worst happen.

• End-to-end encryption, which protects PHI from falling into the hands of bad actors when at rest, in use and in transit.

Partnering with the right email archiving software provider can make a significant difference in your efforts to remain HIPAA compliant. With Intradyn’s singular email archiving solution, you’ll get real-time archiving of incoming and outgoing messages, robust search functionality, role-based permissions, backup and disaster recovery, and more — all the features and capabilities you need to avoid costly compliance violations.

Contact Intradyn today to see how our email archiver can help your healthcare organization stay in line with HIPAA’s guidelines.

Intradyn is not a legal professional, and this content should not be considered legal advice but rather a guide to regulatory compliance.