December 10, 2009
Does HIPAA Compliance Require Email Archiving?
We held a web seminar yesterday titled "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" (you can view the replay of this HIPAA email webinar by following this link) where Rami Habal presented some great information on the new requirements enterprises face when protecting private healthcare information (PHI) in email. This was our most highly attended web seminar ever with more than 1200 registered attendees.
During the question and answer session at the end of presentation, I mentioned briefly that HIPAA may require some types of emails to be retained and that this argued for adopting email archiving solutions as well as email encryption/data loss prevention.
At the end of all our webinars, we conduct a survey that allows attendees to provide feedback. One of the webinar attendees chastised me gently in their survey response saying that my assertion was wrong and that HIPAA does not require organizations to retain email.
Was I wrong? Well, it's true that HIPAA does not specifically mandate that covered entities archive email. (Certainly not in the same way that it requires encryption of PHI in electronic messages.) However, HIPAA does require that covered entities retain certain types of documentation related to their compliance with the HIPAA regulations. It's my contention that, in some cases, this requires that certain emails be retained.
This is a fairly subtle point but one that I think healthcare organizations and other HIPAA covered entities should consider. I wrote about this briefly in our whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email. Here's an excerpt of what I had to say:
While this paper has focused primarily on the requirements for protecting private healthcare information during email transmission, HIPAA covered entities are also required to retain a wide range of documentation regarding their compliance with the regulation. In general, documentation must be retained for six years from the date of its creation, or the date of last effect, whichever is later (though some states mandate longer retention periods).
Documentation that must be retained includes:
- Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
- Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
- Complaints: Documentation related to the handling of patient and/or HCO employee complaints
- Training: Including processes for and content of workforce training.
An increasing number of email messages sent or received by HCOs could fall into these categories, and in some cases, may only exist in email (for example, patient requests sent via email). In a recent Proofpoint survey of large healthcare organizations, 68% of respondents cited “ensuring the confidentiality and protection of private healthcare information” as a top concern driving the need to archive email in their organizations. HCOs should look for email security solutions that also include an email archiving component.
Email archiving technology can ensure both the preservation and easy discovery of email messages that could be considered medical records or HIPAA-regulated documentation. Such systems should store email in an encrypted form, to ensure the security of any PHI contained in archived email messages and their attachments.
The point is, some email communications clearly do qualify as documentation that must be retained under the HIPAA regulations. Modern email archiving solutions can enforce retention of such messages and make them more easily discoverable. The full whitepaper has a bit more detail and, as always, I appreciate your comments as to whether I'm off base on this topic!