HIPAA Email Compliance and Archiving: What You Need to Know

There is a major push for modernization of systems in the healthcare industry, with everything from requirements for electronic health record storage to many providers realizing the power of electronic payment options.

However, in highly-regulated industries like healthcare, organizations are under scrutiny because of strict compliance requirements. Healthcare providers, for instance, need to preserve all records and communication data, including electronically stored information (ESI), and ensure it is stored safely in a secure and searchable repository. So here’s what you need to know about HIPAA email compliance and securing email communications.

In hospitals, clinics or health insurance companies, a large number of emails contain sensitive and confidential information like patient info, protected health information (PHI) and attached documentation. This information needs to be kept secure while remaining available for future reference.

Keeping electronic information safe in the healthcare industry is not only best practice, but also a regulatory necessity – regulations like HIPAA deal with appropriate storage, management and access to electronically stored information, data related to online transactions and protected health information.

Many providers communicate with patients on one level or another digitally. The broad definition of protected health information means it’s simply more effective to apply a strong, broad and automated but unobtrusive retention system than attempt to save communications on an individual basis. The alternative – relying on individual staff members to properly store HIPAA-eligible emails in perpetuity – simply isn’t a realistic or effective long-term solution.

The Significance of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996 and amended in 2013, is a complex law that regulates how healthcare providers manage the Protected Health Information (PHI), including medical records and payments. It obliges healthcare organizations to regulate policies and protect patient confidentiality.

There are four areas of HIPAA that healthcare providers need to focus on – privacy of healthcare data, security of healthcare data, breach notification and patients’ rights over their medical data.

The Act consists of five titles in total, but Title II is in our focus as it contains the Privacy Rule and Security Rule and deals with electronic communications and the prevention of healthcare fraud and abuse.

When HIPAA was first enacted, Title II imposed new challenges on healthcare organizations. They had to assess and transform the existing systems to comply with guidelines on digital data archiving and electronic communication, especially when dealing with sensitive patient data.

To meet those guidelines, healthcare providers today rely on data archiving solutions to ensure fast and easy retrieval of data, accessibility to patient records and facilitate ediscovery procedures.

HIPAA’s Privacy Rule places restrictions on using and disclosing healthcare information. Only authorized individuals are allowed to access and manage PHI and for essential business purposes only (e.g. providing treatment, paying for medical services). HIPAA also covers organizations that provide products to HIPAA-covered entities but require access to medical histories or PHI. Some examples of such “Business Associates” are lawyers, insurance companies, IT service providers or payment processors.

HIPAA’s Security Rule is especially important and deals with safeguards, controls and processes that need to be established to ensure that the PHI is protected.

Although not explicitly prohibiting the use of email to communicate protected health information (PHI), this rule introduces several requirements which ensure that your organization’s email communication is HIPAA compliant.

• Administrative Protection Measures

It is necessary to establish the following administrative processes to protect data:

• assign information security officers in healthcare institutions,
• sign business associates agreements with third parties who would have access to sensitive data,
• establish transparent risk assessment procedures,
• organize training sessions and
• develop appropriate information management policies.

If you’re wondering who is responsible for overseeing HIPAA compliance and what their main activities are, the HIPAA Journal lists the duties of a HIPAA Compliance Officer relevant to both Covered Entities or Business Associate organizations.

• Physical Protection Measures

The healthcare provider needs to be able to control the devices that are used to store electronic PHI. It has to carefully explore equipment specifications and have physical access to servers and hardware on which electronic PHI is contained.

• Technical Protection Measures

It is necessary to specify individuals who can access PHI databases remotely as well as define audits and monitoring mechanisms. Some of the technical protection measures include encryption, anti-virus software, firewalls, multi-factor authentication etc.

According to a summary from the HIPAA Journal, in order for healthcare providers to be HIPAA compliant, they need to restrict access to PHI, be able to monitor how it is communicated, ensure its integrity and protect it from unauthorized access.

HIPAA and Data Breaches

A HIPAA-defined data breach happens any time there is an unauthorized exposure of electronically stored PHI (unless the healthcare organization can prove that patient data was not compromised).

For a long time, the single largest cause of data breaches was human error – from employees misplacing flash drives, sharing sensitive data via BYOD phones and doctors’ laptops being stolen from their cars. Thanks to better policies and processes, the occurrence of this type of breaches has dropped considerably.

On the other hand, hacking and ransomware pose an ever-increasing threat and are currently the number one cause of data breaches in healthcare, together with unauthorized access and disclosure.

In 2020 only, 642 breaches (larger than 500 records) were reported to the Office of Civil Rights, with an average of 3849 records exposed per breach. That’s a 25% increase compared to 2019, which was also a record-breaking year. 2020 also saw the largest number of hacking incidents (429) with 25K records exposed per incident on average.

In 2021, health insurance company Excellus Health Plan paid 5.1 million USD to settle a data breach that affected over 9.3 million people.

Meanwhile, Reuters reported that a person’s sensitive health information is worth 10 times more to hackers than their credit card info on the black market.

Penalties for Non-Compliance with HIPAA

Data breaches, criminal attacks and employee negligence are just some of the threats that healthcare organizations need to neutralize. According to the recent KPMG cyber security report, 56% of healthcare executives believe that HIPAA violations and compromised privacy are their number one security concerns.

Non-compliance with HIPAA goes with strict penalties like fines and mandatory audits for organizations. Fines apply to persons that willfully neglect to comply with HIPAA and range from $10,000.00 per violation to $50,000.00 per violation, up to $1.5 million per year for one “identical violation,” if corrective action is not taken in the case of willful neglect to comply with HIPAA.

Any impermissible disclosure of EPHI and non-compliance with HIPAA can result in a financial penalty. In some cases, it involves lawsuits against anyone who violates HIPAA in a Federal District Court and those lawsuits tend to include statutory damages.

If you fail to comply with HIPAA, you will be made to provide clarification on “wrongful disclosures” because it is a criminal offense to violate the Privacy Rule’s authorization requirements. HIPAA also contributes to the significant increase in civil money penalties for non-compliance.

HIPAA fines apply to anyone that willfully neglects to comply with the regulation and range from $10,000 to $50,000 depending on the violation. In extreme cases, fines can be as high as $1.5 million per violation.

The HITECH Act specifies four severity-based categories of violations and the maximum penalties associated with each:

• The covered entity was unaware of the violation ($25,000)
• The violation was not the consequence of neglect but had a reasonable cause ($100,000)
• The violation was a consequence of neglect but was fixed by the entity ($250,000)
• The violation was a consequence of willful neglect and was not fixed on time ($1.5 million)

The most common violations include disclosure of sensitive patient info due to theft or loss and careless handling of protected health information.

What Is the Largest Ever HIPAA Fine?

In late 2018, it was published that Anthem had agreed to pay $16 million to OCR as a settlement for the largest ever data breach in the healthcare industry after the EPHI of 79 million people had been exposed in 2015. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR by Advocate Health Care in 2016.

5 Benefits of HIPAA Compliance

Maintaining compliance with HIPAA is important for many reasons. Here are the chief benefits of HIPAA compliance:

1. confidence that the organization will pass a federal audit in case there is a data breach

2. ensures that every employee knows how to handle patient information and establishes a culture of information governance

3. protects the organization’s reputation (as there will be a public record of any incidents, aka the HIPAA Wall of Shame)

4. helps with gaining and maintaining patient/client trust and loyalty

5. helps with risk management and reduces liability

How Email Archiving Helps with HIPAA Email Compliance

Although there are no specific HIPAA medical records retention requirements (each state has its own laws that govern their retention), there are requirements that cover HIPAA-related documents, including policies. The law stipulates that these documents should be retained for a minimum of 6 years after the document was created or was last in effect.

It’s also important to note that such HIPAA requirements preempt individual state laws, should they specify shorter retention periods.

Many official business decisions and documents, including policies, are communicated via email, shared in attachments or discussed in corporate chat systems. That’s why these channels need to be retained in order for a Covered Entity or Business Associate to meet compliance with HIPAA.

When it comes to HIPAA email compliance technology, many large healthcare organizations still opt for on-premise email archiving solutions because the data is stored internally and is under their control. However, there’s an increase in the adoption of cloud archiving software because of the improved cloud security, agility and ease of access for employees.

HIPAA Email Compliance Solutions: What to Look For

Apart from choosing the right deployment method, healthcare organizations should pay attention to the HIPAA email compliance requirements the archiving software should meet.

The most visible elements of a strong data archiving solution – like secure storage, access and recall and a partner that provides continuous monitoring and 24/7 support – are crucial to success in this area, but aren’t the only types of functionality needed.

Healthcare providers also need to follow specific regulations related to records retention, which means the archiving solution must have the framework for establishing and following retention rules and implementing new ones in the future should those requirements change. A focus on compliance above and beyond the general archiving of all emails, chats and other forms of digital communication eventually pays off.

Indexing and retrieval are also important aspects of archiving to consider. Complete, secure records only hold so much value if it’s difficult or time-consuming to find specific messages requested for an audit. With a strong indexing function that renders unstructured data into a searchable archive, worries about compliance with sometimes tight deadlines related to regulatory and legal needs can be left behind.

Archiving is an important consideration for health care providers, and finding the most effective system can make a very significant difference.

Here are the crucial functionalities your data archiving software should possess based on the safeguards listed in the HIPAA Security and Privacy Rules.

1. Support for various formats
The HIPAA compliance software should be able to capture and retain various formats of electronic communication (email, social media, instant messages, text messages, audio and video calls) depending on which channels are used for official communication.

2. User authorization and access controls
It should allow role-based access and different permission levels to ensure that sensitive patient info can be accessed only by specific people. Additional safeguards like multi-factor authentication are also advised.

3. Redaction
It should support data redaction to conceal sensitive or identifiable patient info in case of an open data request.

4. Prevent evidence spoliation
Electronic records must be preserved in a non-rewritable and non-erasable format. This means that the HIPAA compliance archiving solution must store data in a tamper-proof WORM format and be designed in a way that prevents deletion and alteration and preserves message content together with all the relevant metadata. The ability to verify message integrity is a nice bonus too.

5. Audit trail and monitoring
To prevent insider threats and misuse of information, the data archiving software should allow HIPAA compliance officers to keep track of user activities on the archiving platform, conduct HIPAA compliance monitoring, search for suspicious actions and respond to issues in a timely manner.

6. Data Backup
Every data archive should be backed up for data redundancy purposes.

7. Encryption
The archiving software should be able to ensure confidentiality of data contained in the archive, both in transit and at rest.

Jatheon is a tech company specializing in data archiving with 17 years of experience in providing secure email, social media and mobile archiving solutions to HIPAA-covered entities. To get more information on how Jatheon’s archiving software can help you meet HIPAA compliance, get in touch with us or book a short demo.

About the Author

Marko Dinic

As Jatheon’s CEO, Marko Dinic oversees new business development and has a leadership role in shaping the company’s vision, strategy, and product development. Outside work, he loves visiting places off the beaten path, investing, and space travel.