Choosing the right format for email archiving involves balancing accessibility and usability with long-term security. Whether archiving emails in native formats like PST, MBOX, or EML, or converting them to PDF, covered entities must follow HIPAA regulations for encryption, secure storage, and access controls.
When choosing a file format for email archiving, "It may seem advantageous to save emails in the same native format as the one used by your email client. Unfortunately, there is no standard for email file format. The various software uses different file formats," explains timeSensor.
Formats like PST, MBOX, and EML are the most commonly used across platforms. However, there are numerous native formats, each tailored to specific email clients:
Using different formats can make it difficult to collaborate with users on different platforms or maintain long-term access to archived emails. Furthermore, covered entities must explore these formats and how they relate to HIPAA compliance.
A PST file is commonly used by Microsoft Outlook to store emails, attachments, and calendar entries. If the organization uses Outlook, PST files are a reliable option and particularly suitable for bulk archiving.
When healthcare and other covered entities archive their emails, they must use a HIPAA compliant solution. While these solutions do not manage PST files, they do encrypt emails during transit and storage, so all PHI-containing email communications are secure.
MBOX files store multiple email messages in a single text file, making them easier to manage for mass archiving. MBOX is widely accepted by clients like Thunderbird, Apple Mail, and Gmail.
Like PST files, MBOX archives must be encrypted when archiving or importing MBOX files to avoid unauthorized access.
EML files store individual email messages with attachments and are supported by Microsoft Outlook, Windows Mail, and Thunderbird. These files are flexible for transferring small numbers of messages.
When dealing with PHI, EML files should be encrypted and stored securely. Using a HIPAA compliant platform like Paubox encrypts these emails at all stages.
While using native email formats like .eml, .msg, or .emix might seem convenient at first, as evidenced by timeSensor, "Using the native format of your email client to archive emails may seem like a good and easy idea at first glance, but can be problematic to cooperate with other users or to ensure long-term usability."
Therefore, users on different operating systems could have difficulty opening archived emails stored in native formats. Moreover, covered entities should ask whether they will still be using the same email client five or ten years from now and if the files will remain HIPAA compliant.
An alternative to native formats is to convert your emails to PDF format. As timeSensor LEGAL explains, "The PDF format has obvious advantages when working with other users or for long-term archiving. PDF documents will also be indexed and will show up in your searches."
PDFs provide a universal format, making it easier to collaborate with team members using different systems, and they ensure long-term access. In addition, PDF archiving can integrate with tools that index documents for easy retrieval. However, converting emails to PDF also has drawbacks, like having “less evidential value than emails saved in native format."
More specifically, PDF files do not retain the raw metadata from the email, like headers, sender information, and timestamps.
Learn more: HIPAA Compliant Email: The Definitive Guide
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.