In the field of healthcare, there is no relationship more sacred than the one between the doctor and the patient, and a breach of doctor-patient confidentiality is a grave offense. In the healthcare and health insurance sectors, email archiving is considered one way of safeguarding protected health information (PHI) and patients’ personal information.
Protected health information is defined by the U.S. Department of Health and Human Services as information about a patient’s health status, healthcare measures provided, and payment for such measures that is collected by a doctor, hospital, health insurance company, or other entities that have access to a patient’s medical history or otherwise provide healthcare to a patient.
In 2015, there was a large data breach that involved millions of patient records. Aside from revealing the health status and treatment regimens of the affected patients, the breach also brought with it the risk of such information being used for illegal activities, such as obtaining free medical treatment and insurance fraud. In fact, it is estimated that the value of PHI is higher than credit card information. Thus, there is a need for secure methods of storing and transmitting patient data.
While the Health Insurance Portability and Accountability Act (HIPAA) does not close the door on the use of email to send protected health information and email archiving systems to store it, the HIPAA does have very strict requirements for access to the PHI, transmission and communication of PHI, the integrity of PHI when it is not in transit, accountability for the message, and access to the PHI while it is being sent from one entity to another.
Right after the latest amendments to HIPAA were enacted, secure instant messaging was a viable alternative to email as a means of transmitting PHI and personal information. However, the sheer volume of medical data and the six-year retention period specified by HIPAA meant that email and email archiving were to become integral parts of communicating patient data, especially for large entities such as hospitals, insurance providers, and research institutes.
Thus, these healthcare entities are looking at encrypted email archiving systems to protect PHI and other related data. Encrypted email archiving works by encrypting all emails at the source before they are stored in the archive server. Email encryption also ensures that the content of the electronic record is indexed immediately, making future access to the information easy.
Whether an email archive is operated by the healthcare entity itself or by an external provider, it must adhere to certain guidelines specified in the HIPAA. These include not just retention and deletion periods, but also internal IT network security specifications, virtual private networks, secure wireless access, physical security, risk assessment and management, and audit controls. They also cover workstation and device security, workforce management, training, and documentation.
Patients’ protected health information and personal information are far too important to be stored on unencrypted email archiving servers. Therefore, before a healthcare provider decides to implement an archiving system in-house or off-site, they must check if the vendor of the system or the email archiving service provider complies with HIPAA requirements.