HIPAA Privacy and Compliance Rules: Email Archiving Requirements

Answering the whos, whats, and hows of HIPPA email archiving requirements

While there are many components of HIPPA compliance, this post will only detail the requirements under the Privacy and Security Rules. For more information on all HIPAA requirements, refer to their website. These two rules, often discussed in tandem due to their many intersections, outline the duties organizations must perform to safeguard individuals’ protected health information (PHI). Notably, the Privacy covers all PHI, while the Security Rule only deals with electronic public health information (e-PHI).

What is PHI and e-PHI?

PHI is defined as anything relating to a person’s physical and mental health, health care, payment, or anything else that could reasonably identify the individual—from their past, present, and future. e-PHI is the subsection of PHI that is housed electronically.

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act, is the U.S. law that regulates the use, storage, and sharing of healthcare information. The law is divided into five titles: (I) health care access, (II) administrative requirements, (III) tax information, (IV) application and enforcement, and (V) revenue offsets. The two rules we will dive into here, Privacy and Security, both fall under Title II.

Who has to comply with HIPAA email archiving requirements?

HIPAA’s Security and Privacy Rules pertain to both covered entities and business associates. Covered entities include those directly related to medical treatment, payment, and operations, including health plans, such as insurance companies; healthcare clearinghouses, such as billing services, community health management systems, and reprice companies; and healthcare providers like hospitals or doctors and dentist offices. Business associates, on the other hand, are any person or organizations that are indirectly involved, such as data transmission services or any medical subcontractors who manage PHI.

What are the rights granted to individuals by HIPAA?

Notice:

Individuals are allowed to know how their PHI is being used.

Access:

People have the right to access and use their own PHI.

Amendment:

They are also allowed to correct any faulty or missing information.

Disclosure Accounting:

Patients have the right to see how HIPAA-compliant organizations are using their PHI outside of treatment, payment, and operations.

Restriction Request:

People can ask that their information not be shared outside of treatment, payment, and operations. However, organizations can decline that request.

Confidential Communications Requirements:

Patients can dictate—within reason—how they receive their medical information, for example, they can request that they get closed envelopes instead of postcards.

What are the administrative requirements?

There are numerous responsibilities organizations must undergo for full HIPAA compliance, they are separated by their respective rules below.

Privacy

  • Disclosure: Organizations have to provide patients with written privacy policies and procedures.
  • Privacy Personnel: There must be a designated privacy official who is responsible for developing privacy initiatives and responding to privacy complaints.
  • Privacy Training: All employees subject to HIPAA have to be educated about the organization’s privacy policies and procedures. Further, if an employee violates these rules, they must be sanctioned.
  • Mitigation: As organizations learn of risks, they must take active measures to remedy them.
  • Data safeguards: To the best of an organization’s ability, they must establish preventive measures to protect PHI.
  • Complaints: There must be systematic ways for individuals to make privacy complaints.
  • Retaliation and Waiver: Organizations cannot discriminate against individuals who has enacted any of their rights protected under HIPAA.
  • Record Retention: Protected documents and policies, further outlined in the section below, must be maintained for at least 6 years after its creation or last effective date.

Security

  • Security Evaluation: Organizations have to undergo continual e-PHI risk assessments.
  • Security management process: As an organization learns of risks, it must actively mitigate them.
  • Security personnel: An organization must designate someone as the security official responsible for designing and implementing e-PHI security measures.
  • Information Access: e-PHI must be only accessible to authorized individuals.
  • Security Training: Organizations must train all personnel in proper security procedures. If a staff member violates security policies, they must be sanctioned.

What are the emailing archiving requirements of HIPAA?

A notable disclaimer before diving in on document retention requirements, neither the word archive nor email is used throughout HIPAA policies. That said, both are quasi-required based on HIPAA’s specific retention policies. For example, HIPAA covers all PHI—regardless of data source—and therefore also pertains to e-PHI in emails. In terms of archiving e-PHI, HIPAA uses the language of data backup, requiring in the Security Rule that organizations “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” The need for an exact copy combined with the requirement that data be backed up in a secondary location is indicative of an archive.

What is required of HIPAA email archiving?

Outside of the above, email and document compliance requires e-PHI storage to be confidential, available, updated, logged, and have integrity. In that access to e-PHI should only be granted to authorized personnel, e-PHI must be accessible by their owners, documents must be periodically updated for security purposes, any action taken on documents with e-PHI must be captured in an audit log, and all documents must be immutable and kept in their original form.

How long does HIPAA require emails to be archived?

All documents with e-PHI must be backed up for at least six years from its creation or—if included in a policy—six years from the last day it was in effect.

What are the penalties for non-compliance?

Penalties vary based on the circumstances, but the HITECH Act outlines four categories of non-compliance that each have their own monetary fees ranging from $10 thousand to $1.5 million per violation. The four categories, in increasing severity, are (I) the covered entity was unaware of the violation, (II) the violation was the result of neglect but had a reasonable cause, (III) the violation was the result of neglect but was corrected, and (IV) the violation was a result of willful neglect and was not corrected on time.

For more information on HIPAA email archiving requirements or other compliance questions, feel free to reach out to a ZL Tech expert.

A graduate from Kalamazoo College, Martin Hansknecht serves as a marketing associate for ZL Tech. He gets his Midwestern charm from growing up in the mitten of Michigan, his East Coast work ethic from his time spent in NY and D.C., and his European fashion from years living in England, Germany, and Hungary. Now he is looking forward to absorbing that innovative West Coast mindset!