Email Archiving Compliance

by

Email archiving compliance consists of copying emails as they pass through the mail server and storing them separately in a read-only format to create an immutable library of tamper-proof documentation. As emails are copied, they are indexed in order that future search requests for audits, litigation, internal enquiries, etc. can be performed quickly and easily.

There are multiple advantages of email archiving inasmuch as if an employee accidently deletes or misplaces a business-critical email, it can be quickly and easily replaced. On a larger scale, if an organization suffers an outage or an email database ransomware attack, having an immutable library of archived emails readily available supports disaster recovery and business continuity.

Ideally, organizations should maintain email archives off-premises, and preferably in the cloud. Cloud email archiving solutions free up on-premises storage space, improve the performance of mail servers, and ensure business continuity in the event of an on-premises disaster. More importantly, cloud solutions have the required levels of security to support email archiving compliance.

What is Email Archiving Compliance?

The term email archiving compliance is fairly self-explanatory. It means archiving emails in compliance with the regulations a business is subject to so emails can be retrieved, reviewed, and restored as necessary. For example, if an organization is subject to HIPAA email compliance, it means having the capability to comply with patients exercising their HIPAA rights to access or transfer copies of Protected Health Information (PHI).

Generally, compliance is determined by three factors – security, permanence, and auditability. This means that emails must be stored in an environment that protects against loss, theft, or damage, stored in their original state, and accessible when required. To comply with some state laws, emails also have to be individually identifiable so they can be erased if a data subject requests data is deleted.

For these reasons, backing up emails is no substitute for archiving emails. While it is possible to back up and store emails securely, gaps can exist between when an email is sent, received, or shared, and when a copy is made – during which time the email could be amended or deleted. Additionally, searching an un-indexed database of emails to comply with a disclosure requirement may not be manageable within the time allowed – potentially attracting financial penalties.

Complying with Email Archiving Requirements Can be Challenging

There are multiple challenges to email archiving compliance. Some emails may have to be archived longer than others depending on the industry or the location a company operates in, and some may have to be retained indefinitely. For example, SOX 802 applies different data retention requirements to public companies depending on the nature of data “relevant to audit or review”:

  • Customer invoices must be retained for five years.
  • Accounting records and tax returns must be retained for seven years.
  • Bank statements, payroll records, and training manuals must be retained permanently.

Naturally it is impractical to retain every email forever. The amount of storage required would be colossal and the costs of storage astronomical. Therefore, it is important there is an indexing system in place that tags emails according to the nature of data in their content and automatically deletes archived emails once the appropriate retention period has expired – if at all.

Tagging an email to be deleted in five or seven years – or not at all – is a fairly simple operation, but rarely is email archiving compliance that simple. If an organization operates in multiple states, different data retention requirements may apply to the same type of data. For example, in the healthcare profession, state laws dictate how long medical records have to be retained. In some states, this can be as short as three years; while in neighboring states, it could be as long as eleven years.

Considerations for HIPAA Compliant Email Archiving

Not all email archiving solutions are the same. For example, some solutions archive email data periodically rather than in real time. This can cause issues with email archiving compliance, as the opportunity exists to amend or delete emails before the archiving solution has copied them. If email data that an organization later relies on in a judicial or regulatory hearing is found to be inaccurate, it could have a significant impact on the outcome of the hearing.

Therefore, organizations subject to HIPAA compliance should evaluate email archiving solutions that archive and index emails in real time. It is also advisable to consider software that deduplicates email data before it is archived to reduce storage capacity requirements, accelerate searches, reduce the number of search results, and make the navigation of results easier.

Email data should be stored in a tamper-proof repository that complies with the Physical Safeguards of the HIPAA Security Rule, from where it is remotely accessible by date, by user, or by tag subject to the user requesting access to the data having appropriate user permissions. Transmissions should be conducted over encrypted channels, and the vendor of the HIPAA compliant email archiving solution must be willing to enter into a Business Associate Agreement.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]