Proofpoint: Security, Compliance and the Cloud

December 10, 2009

Does HIPAA Compliance Require Email Archiving?

We held a web seminar yesterday titled "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" (you can view the replay of this HIPAA email webinar by following this link) where Rami Habal presented some great information on the new requirements enterprises face when protecting private healthcare information (PHI) in email. This was our most highly attended web seminar ever with more than 1200 registered attendees.

During the question and answer session at the end of presentation, I mentioned briefly that HIPAA may require some types of emails to be retained and that this argued for adopting email archiving solutions as well as email encryption/data loss prevention.

At the end of all our webinars, we conduct a survey that allows attendees to provide feedback. One of the webinar attendees chastised me gently in their survey response saying that my assertion was wrong and that HIPAA does not require organizations to retain email.

Was I wrong? Well, it's true that HIPAA does not specifically mandate that covered entities archive email. (Certainly not in the same way that it requires encryption of PHI in electronic messages.) However, HIPAA does require that covered entities retain certain types of documentation related to their compliance with the HIPAA regulations. It's my contention that, in some cases, this requires that certain emails be retained.

This is a fairly subtle point but one that I think healthcare organizations and other HIPAA covered entities should consider. I wrote about this briefly in our whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email. Here's an excerpt of what I had to say:

While this paper has focused primarily on the requirements for protecting private healthcare information during email transmission, HIPAA covered entities are also required to retain a wide range of documentation regarding their compliance with the regulation. In general, documentation must be retained for six years from the date of its creation, or the date of last effect, whichever is later (though some states mandate longer retention periods).

Documentation that must be retained includes:

  • Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
  • Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
  • Complaints: Documentation related to the handling of patient and/or HCO employee complaints
  • Training: Including processes for and content of workforce training.

An increasing number of email messages sent or received by HCOs could fall into these categories, and in some cases, may only exist in email (for example, patient requests sent via email). In a recent Proofpoint survey of large healthcare organizations, 68% of respondents cited “ensuring the confidentiality and protection of private healthcare information” as a top concern driving the need to archive email in their organizations. HCOs should look for email security solutions that also include an email archiving component.

Email archiving technology can ensure both the preservation and easy discovery of email messages that could be considered medical records or HIPAA-regulated documentation. Such systems should store email in an encrypted form, to ensure the security of any PHI contained in archived email messages and their attachments.

The point is, some email communications clearly do qualify as documentation that must be retained under the HIPAA regulations. Modern email archiving solutions can enforce retention of such messages and make them more easily discoverable. The full whitepaper has a bit more detail and, as always, I appreciate your comments as to whether I'm off base on this topic!

Links:

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a010535f33a5b970c01287643eaf8970c

Listed below are links to weblogs that reference Does HIPAA Compliance Require Email Archiving?:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Identity theft is serious and can cause not only major inconveniences in your life but can also cost you hundreds of dollars trying to restore your credit, handle fraudulent charges and possible trauma in your personal life or career. This is why managing, storing and disposing of your data online, on your PC or on your files is important. As a paper shredding San Antonio based business, we assist households and businesses in destroying their records in a secure manner.

It makes sense to attach each email to the patients medical record if it falls into one of the categories mentioned in your post. Then apply the same protection required for the medical records themselves.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption