2 min read

What is email archiving and retention?

Picture of Kirsten Peremore Kirsten Peremore August 30, 2023

HIPAA compliance
Colorful storage lockers with hanging pendant lights

Email archiving involves creating a searchable repository of email communications, including the email contents, attachments, and metadata. Instead of simply backing up emails, archiving systems organize and index the emails, making them easily retrievable when needed. This process helps preserve the integrity of the emails and prevents unauthorized access, alteration, or deletion.

Email retention refers to keeping email communications for a specified period, as required by regulations or organizational policies. In the context of HIPAA and similar regulations, healthcare organizations must retain certain electronic communications, including emails containing protected health information (PHI), for a specific duration (typically at least six years). This retention period ensures that data is available for audits, legal proceedings, and compliance requirements.

See also: HIPAA compliance and Email Archiving

 

HIPAA and email archiving 

HIPAA does not explicitly mandate email archiving, but it does outline requirements for the retention, security, and accessibility of electronic communications, including emails, that contain protected health information (PHI). The HIPAA Security Rule, specifically the Administrative Safeguards, provides guidance on how covered entities and business associates should handle electronic PHI (ePHI), which includes emails containing PHI. While HIPAA doesn't specify email archiving as a requirement, it encourages the implementation of measures to ensure the availability, integrity, and security of ePHI, which can encompass email archiving practices. 

 

HIPAA provides for secure data handling in the following ways

  1. Data backup and recovery (§164.308(a)(7)): Covered entities and business associates are required to establish policies and procedures for data backup and recovery. This includes creating and maintaining retrievable exact copies of ePHI, which could include emails containing PHI. While not explicitly mentioning email archiving, this requirement emphasizes the necessity of having systems in place to ensure the availability of electronic data.
  2. Technical safeguards: The Security Rule's Technical Safeguards (§164.312) require covered entities and business associates to implement measures to protect ePHI from unauthorized access and ensure its integrity. This could involve encryption, access controls, and audit controls for emails and other electronic communications.
  3. Business associate agreements: If a covered entity engages a business associate to manage email archiving on its behalf, a business associate agreement (BAA) must be in place. This agreement outlines the business associate's responsibilities to ensure the security and privacy of the ePHI they handle, which may include archived emails.

See also: Guidelines for HIPAA compliant documentation and record retention

 

Implementing email archiving and retention policies 

Assess organizational needs

  • Identify the types of electronic communications that need to be retained, especially emails containing PHI.
  • Determine the retention periods required by HIPAA and applicable state laws for medical records, which may include emails.

 

Design email archiving policy

  • Develop a comprehensive email archiving policy that outlines the purpose, scope, responsibilities, and procedures for archiving and retaining emails.

 

Choose an email archiving solution

  • Research and select a reputable email archiving services like Paubox specializing in healthcare compliance and HIPAA compliant email.
  • Ensure the provider offers encryption, access controls, tamper-proofing, and audit capabilities.

 

Sign business associate agreements (BAAs):

  • If using a third-party provider, ensure they are willing to sign a BAA outlining their responsibilities for protecting PHI in archived emails.

 

Implement technical safeguards:

  • Work with your IT team to implement encryption mechanisms for email communications, both in transit and at rest.
  • Establish access controls to limit who can access and retrieve archived emails.
  • Establish a data backup and recovery plan
  • . Develop a data backup and recovery plan that covers both email servers and archived emails.
  • Ensure backups are performed regularly and securely.

 

Document procedures:

  • Document all processes and procedures related to email archiving and retention.
  • Create clear instructions on how authorized users can access and retrieve archived emails.
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
3D illustration of an envelope with an incoming arrow surrounded by email symbols

Do you need to ensure HIPAA compliance for incoming emails?

Picture of Dean Levitt Dean Levitt : April 26, 2023

Healthcare organizations and covered entities must adhere to the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy...

HIPAA compliant email HIPAA compliance
Read More
blue email icon on keyboard

How to develop a HIPAA email retention policy

Picture of Liyanda Tembani Liyanda Tembani : December 6, 2023

A HIPAA email retention policy guides healthcare organizations in securely managing and retaining emails containing protected health information...

HIPAA compliant email HIPAA compliance
Read More
Man sitting on couch blowing nose into tissue while holding box of tissues

Are seasonal health alert emails HIPAA compliant?

Picture of Liyanda Tembani Liyanda Tembani : September 8, 2023

Seasonal health alert emails can be HIPAA compliant when appropriate safeguards are in place to protect patients' protected health information (PHI)...

HIPAA compliance Email marketing
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.