Compliance & the Cloud
It's true that HIPAA does not specifically mandate that covered entities archive email. (Certainly not in the same way that it requires encryption of PHI in electronic messages.) However, HIPAA does require that covered entities retain certain types of documentation related to their compliance with the HIPAA regulations. In some cases, this requires that certain emails be retained.
Documentation that must be retained includes:
- Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
- Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
- Complaints: Documentation related to the handling of patient and/or HCO employee complaints
- Training: Including processes for and content of workforce training.
An increasing number of email messages sent or received by HCOs could fall into these categories, and in some cases, may only exist in email (for example, patient requests sent via email). In a recent Proof point survey of large healthcare organizations, 68% of respondents cited “ensuring the confidentiality and protection of private healthcare information” as a top concern driving the need to archive email in their organizations. HCOs should look for email security solutions that also include an email archiving component.
Email archiving technology can ensure both the preservation and easy discovery of email messages that could be considered medical records or HIPAA-regulated documentation. Such systems should store email in an encrypted form, to ensure the security of any PHI contained in archived email messages and their attachments.
The point is, some email communications clearly do qualify as documentation that must be retained under the HIPAA regulations. Modern email archiving solutions can enforce retention of such messages and make them more easily discoverable.