The HIPAA compliant document trail created by email communication

Email systems assist in HIPAA compliant data retention by automatically archiving correspondence and allowing easy retrieval. 

HIPAA and document retention

According to the HHS: “A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.”

HIPAA’s Privacy Rule sets the document retention requirements for covered entities and business associates. This determines how long medical records and other documentation containing protected health information (PHI) should be kept within the organization before disposal. The retention timeline allows for the availability of PHI for legal, regulatory, and operational purposes, including audits, compliance investigations, and patient requests for their medical records. 

How email creates a document trail 

In a Record Management Journal article, the following statement regarding email communication as a method of record keeping stands out: “The article reviews the development of traditional correspondence and its representation features in the USA and discusses how the evolution of the email system has successfully incorporated experience of correspondence recordkeeping to achieve the integrated functionality of email creation, transmission, storage and organization. Drawing on major email preservation research and project documentation, it reviews the role persistent representation features play in management, preservation and access of email correspondence.”

Email communication is one of the best methods for retaining communication records in any organization. In healthcare organizations where the requirements for HIPAA compliant email come into play, this benefit facilitates administrative functions. This process starts when the email is sent or received within the organization's email system. 

The email service automatically logs every action related to an email, including when it was created, sent, received, opened, forwarded, replied to, or deleted. These logs capture data like the date and time of each action, the identity of the person acting, and the specific details of the email content, including attachments.

See also: Top 10 HIPAA compliant email services

Methods of avoiding data loss through email

Beyond the requirement for how long data should be held, the Security Rule provides the steps necessary to prevent the loss and exactly how data should be destroyed once the time is up. Data loss prevention methods include: 

1. Data Loss Prevention (DLP) software: DLP software assesses and controls an organization's data transfers over email. This works by identifying, monitoring, and protecting data in use, in motion, and at rest through deep content analysis.
2. Segmented storage solutions: Store emails in segmented, categorically organized repositories based on sensitivity, department, or function. This reduces the risk of mass deletions and makes it easier to retrieve specific emails when needed.
3. Immutable email storage: Use email systems that support immutable storage for communication. This makes sure that once an email is written, it cannot be changed or deleted for a predefined period.
4. Email hygiene audits: Schedule routine checks to review and clean email accounts under supervision, focusing on the proper categorization and archiving of emails rather than deletion. This can help maintain a lean, efficient email system without risking data loss.
5. Secure email services: Use encrypted HIPAA compliant email services that allow data to remain unreadable to unauthorized parties. This protected the content even if an email is intercepted. Encryption can occur at different stages: in transit (TLS 1.2 or higher), at rest (storage encryption). 

See also: How to safely dispose of ePHI

FAQs

Which type of TLS is recommended?

TLS 1.2 or higher is recommended.

How do I dispose of ePHI?

Disposing of ePHI requires securely deleting electronic records or physically destroying hardware so that data cannot be recovered.