In this post we cover the 5 Requirements for HIPAA Compliant Email Retention.
In a recent survey we discovered that HIPAA compliant email retention is often overlooked and incorrectly implemented when organizations consider their overall HIPAA data retention requirements.
Email Retention Of PHI
Because Covered Entities email out Protected Health Information (PHI), all emails containing that information, either in the body text or as an attachment, must comply with the following HIPAA regulations:
- Emails must be securely backed up and retained for a minimum of six years as per the HIPAA Security rule.
- Specific access and audit controls must be implemented to safeguard the integrity of PHI in emails.
- A system needs to be in place to prevent improper modification or deletion of emails.
Regular email solutions do not cover these HIPAA requirements. While some solutions such as Office 365 can include email backups, these are not sufficient for full HIPAA email compliance.
As an example of how HIPAA compliant email needs to be implemented we examined a leading HIPAA email retention solution (ArcTitan from TitanHQ) and rated its functionality based on HIPAA compliance requirements. Included below is the review summary and details of exactly how any HIPAA compliant email solution needs to work. You can read the full review here.
Review Summary
- ArcTitan from TitanHQ is a seamless, easy to implement and cost effective email retention solution that has been designed for HIPAA compliant email retention requirements.
- ArcTitan works robustly for any size of Covered Entity or Business Associate, protecting all emails with PHI, and covering all the necessary HIPAA retention requirements.
The 5 Requirements for HIPAA Compliant Email Archiving
Here are the 5 specific ways ArcTitan is HIPAA compliant for email retention, and which must be covered for full HIPAA email compliance.
1. Encrypted Storage
ArcTitan encrypts all emails in its secure data centers, ensuring that PHI is protected from unauthorized access. In addition, ArcTitan provides data loss prevention mechanisms, such as email audit functionality. This guarantees emails have not been altered or deleted and also prevents destruction of emails by a dishonest or malcontent employee.
2. Retention Policies
ArcTitan enables Covered Entities to implement retention policies for email archiving. In this way organizations can ensure that emails are retained for the correct period of time as required by HIPAA rules.
What is often overlooked is that most organization’s email systems are centered around specific email usage on a per employee basis, and when a person leaves their email address and emails are often deleted. This can invertedly break HIPAA rules unless the departed employee’s emails are backed up and retained for six years as part of the retention policy.
3. Search Capabilities
Emails are automatically placed in a cloud-based secure archive using sophisticated indexing. Unlike a simple data backup, ArcTitan uses the indexing to include a powerful search facility. to enable organizations to quickly and easily search through their email archives. It can be very time-consuming to find and recover individual emails with regular back up systems often taking weeks and tying up IT resources.
4. Compliance Reporting & Audit Trails
Organizations can easily demonstrate their compliance with HIPAA rules for email with ArcTitan’s comprehensive reporting and audit trails of all email activity which use ID authentication. This can be very important if an organization is required involved in litigation, needs to confirm proof of delivery, or to comply with an audit request from the Department of Health and Human Services.
5. Access Controls
Access to archived emails on ArcTitan is limited to authorized personnel, known as Data Guardians, thanks to the platform’s strong access controls. Additionally, Data Guardians are responsible for managing legal hold and deletion requests.
You can read the full review here which contains more details of pricing, technical specifications and non HIPAA benefits to organizations.
The post What Gets Overlooked For HIPAA Compliant Email Retention? appeared first on HIPAA Journal.