Paubox blog: HIPAA compliant email made easy

Preferred file formats for importing archived email

Written by Caitlin Anthoney | October 07, 2024

Choosing the right format for email archiving involves balancing accessibility and usability with long-term security. Whether archiving emails in native formats like PST, MBOX, or EML, or converting them to PDF, covered entities must follow HIPAA regulations for encryption, secure storage, and access controls.

 

Common file formats for email archiving

When choosing a file format for email archiving, "It may seem advantageous to save emails in the same native format as the one used by your email client. Unfortunately, there is no standard for email file format. The various software uses different file formats," explains timeSensor.

Formats like PST, MBOX, and EML are the most commonly used across platforms. However, there are numerous native formats, each tailored to specific email clients:

  • .eml - Used by most email clients, such as Outlook, Windows Mail, and Thunderbird.
  • .msg - Used by Microsoft Outlook to store individual messages.
  • .rpmsg - Microsoft Restricted Permission Message files.
  • .emix - Apple Mail's mailbox message file.
  • .msf and .wdseml - Used by Mozilla Thunderbird.

Using different formats can make it difficult to collaborate with users on different platforms or maintain long-term access to archived emails. Furthermore, covered entities must explore these formats and how they relate to HIPAA compliance.

 

PST (Personal Storage Table)

A PST file is commonly used by Microsoft Outlook to store emails, attachments, and calendar entries. If the organization uses Outlook, PST files are a reliable option and particularly suitable for bulk archiving.

When healthcare and other covered entities archive their emails, they must use a HIPAA compliant solution. While these solutions do not manage PST files, they do encrypt emails during transit and storage, so all PHI-containing email communications are secure.

 

MBOX (Mailbox)

MBOX files store multiple email messages in a single text file, making them easier to manage for mass archiving. MBOX is widely accepted by clients like Thunderbird, Apple Mail, and Gmail.

Like PST files, MBOX archives must be encrypted when archiving or importing MBOX files to avoid unauthorized access.

 

EML (Email Message)

EML files store individual email messages with attachments and are supported by Microsoft Outlook, Windows Mail, and Thunderbird. These files are flexible for transferring small numbers of messages.

When dealing with PHI, EML files should be encrypted and stored securely. Using a HIPAA compliant platform like Paubox encrypts these emails at all stages.

 

Challenges of using native formats

While using native email formats like .eml, .msg, or .emix might seem convenient at first, as evidenced by timeSensor, "Using the native format of your email client to archive emails may seem like a good and easy idea at first glance, but can be problematic to cooperate with other users or to ensure long-term usability."

Therefore, users on different operating systems could have difficulty opening archived emails stored in native formats. Moreover, covered entities should ask whether they will still be using the same email client five or ten years from now and if the files will remain HIPAA compliant. 

 

The best option for long-term archiving

An alternative to native formats is to convert your emails to PDF format. As timeSensor LEGAL explains, "The PDF format has obvious advantages when working with other users or for long-term archiving. PDF documents will also be indexed and will show up in your searches."

PDFs provide a universal format, making it easier to collaborate with team members using different systems, and they ensure long-term access. In addition, PDF archiving can integrate with tools that index documents for easy retrieval. However, converting emails to PDF also has drawbacks, like havingless evidential value than emails saved in native format. 

More specifically, PDF files do not retain the raw metadata from the email, like headers, sender information, and timestamps.

 

Tips for HIPAA compliance when importing archived emails

  • Encryption: HIPAA mandates that PHI must be encrypted in transit and at rest. All email files, whether in native format or PDF, must be stored and transferred securely.
  • Business associate agreement (BAA): Covered entities must have a signed BAA in place when using third-party services for email archiving. Platforms like Paubox offer BAAs as part of their HIPAA compliant email solutions, so PHI remains protected.
  • Secure import and access: When importing archived emails, limit access to authorized personnel. Use multi-factor authentication (MFA) and audit logs to track who accesses archived emails.

Learn more: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

 

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

 

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.