HIPAA regulations can be confusing enough to just try and understand, but it gets even more challenging when you try to apply it to your IT strategy.
With all the concern over email security, an undervalued consideration is how email archiving fits into your cybersecurity strategy and if it's required for HIPAA compliance.
Email archiving is simply storing emails and making them available to be searched.
At it's simplest, you can think of it as if you never delete an email from your inbox or sent folder. But that does take a tremendous amount of storage and can put a strain on your server capacity.
Email archiving solutions take the burden of organizations and store emails on their servers, but still make them available to designated administrators in the organization.
This is different than simply creating a backup of the data stored in emails. Data backups do not make it so individual emails can be searched for, so if a particular email needed to be found, then it would take weeks for IT to find it.
The language in HIPAA requirements around email archiving is vague and ambiguous.
HIPAA list things that you need to do, but is not clear about how to do it. Additionally, email archiving is not explicitly mentioned anywhere in the regulations.
The closest requirement to anything resembling email archiving is the HIPAA Security Rule requirement that logs are kept of electronic disclosures of PHI, however that only requires the date and not the message itself.
Other requirements around being able to restore and retrieve PHI can be covered by using a solid data backup system, and not necessarily email archiving.
However, it is still in the best interest to employ some sort of email archiving to help ensure access controls and audit controls have to be implemented to protect the integrity of PHI and make sure that it is tamper-proof.
Since archiving involves preserving outbound and inbound emails to be indexed for search and retrieval, making sure that the messages are secured all the way into storage is vital.
Secure email archiving means messages are encrypted during export, storage and retrieval in order to protect the integrity of PHI and prevent “man-in-the-middle” attacks. Since the archived emails cannot be edited or deleted, they are also tamper-proof.
Service providers responsible for archiving emails in compliance with HIPAA have to implement policies and procedures that enforce strict controls over who has access to archived emails. Auditing controls must also be put in place to satisfy the administrative safeguards of the HIPAA Security Rule.
Once archived, only authorized personnel can search for and retrieve emails as necessary in order to extract ePHI, support litigation or comply with an audit request from the Department of Health and Human Services.
Sent emails can also be recovered to confirm proof of delivery.
Email archiving is the easy logical step for a healthcare organization looking to protect itself from PHI breaches and meet HIPAA requirements.