Email Archiving in the Healthcare Industry – Guest Post

This guest post was provided by Ed Fisher on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: email archiving software.

In today’s business environment, where litigation is an increasingly common way for disputes to be settled, compliance is included in every business plan, and regulations are reaching into business processes everywhere. Email admins must concern themselves with far more than just whether or not email is flowing. They must ensure that messaging meets the various regulations under which their business falls. They may also have to deal with legal holds, compliance reviews, discovery motions, and internal policy enforcement.

An email archiving solution can assist with all of these tasks, and nowhere is this more important than in the Healthcare industry. Email is becoming the preferred method to communicate, and since there are so many ways in which the Health Insurance Portability and Accountability Act (HIPPA) of 1996 can come into play with data sharing between providers and communications with patients, email archiving can be a very important, and potentially far reaching, service you can add to your email system.

PHI data in email communications

HIPAA requirements are unique to the healthcare industry, but the scope of these requirements can extend well beyond the boundaries of the doctor’s office or hospital. Both the burden and the potential penalties for non-compliance have been increased by HITECH. Enterprises that deal with healthcare providers, including professional services companies like accountants, law firms and IT consulting practices, will find themselves subject to provisions of HIPAA and HITECH as soon as they take on a healthcare provider as a client.

One of the trickier aspects for messaging is that HIPAA specifically addresses the need to encrypt Personal Health Information (PHI) in email communications. It is very rare for healthcare providers to send PHI by email as most of them use specialized messaging systems to do this. However, this doesn’t mean healthcare providers are not sending or receiving email that, indirectly, affects the relationship between healthcare provider and the patient or that between the staff and their patients.

There are other items that could be relevant for an investigation. For example, appointment reminders/confirmations (thus validating that the patient was notified); internal email discussions among doctors/nurses (not directly referencing a patient, but talking about treatments or scheduling); and even general HR emails that a doctor was absent due to illness (if the doctor was away when a claim is made that a patient was misdiagnosed, then they would be cleared of wrongdoing) and so on.

Many organizations, not only in healthcare, underestimate the importance of email in terms of content and intellectual property and being able to refer to emails sent six months earlier or last year can be of great benefit. Email archiving is not specifically called for within the text of HIPAA, but by maintaining a copy of every internal email message or any that was sent to or received from partners, vendors, and clients, you can prove conclusively that messages sent contained no PHI, and that any messages that did contain PHI were sent through the proper and encrypted channels.

Some people argue that email archiving is a double-edged sword – damned if you do, damned if you don’t. This is a rather naïve way of looking at email archiving. If you do archive your email, you have assurance that you comply with any regulations in place and if you are subject to legal requests for information that may be traced through an email, you have the ability to find it.

Now the counter argument would be, ‘well, if I don’t have an email archived, I can’t be condemned because the evidence is not there’. Wrong. If you don’t have the email, someone else certainly does and suddenly you’ve found yourself in a worse situation once the evidence is presented.

Proving that you made the effort at attaining compliance is preferable to doing nothing at all.

Document retention

With email archiving, you can also meet the document retention requirements specified within HIPAA. There is a six year retention period for information related to PHI which is mandated by HIPAA. That can be six years from the creation of a message, or the last date on which the message can be considered relevant. As more communications move from in-person, telephone, and facsimile, to email, patient requests and Healthcare professionals’ responses will follow suit. An email archiving solution makes it easy to retain these communications for the six year timeframe, as well as to automatically purge out those communications which are older than six years or tagged as no longer relevant.

Search and discovery

An email archiving solution is also an excellent way to access the repository of information contained within the combined emails of a company. Consider how much of your own email is saved because it contains data or instructions that simply don’t exist anywhere else. An email archiving solution can empower a user to search their own archived messages for all content related to a search string, such as a patient’s name; it can also enable an authorized user to search across all users’ email for information related to a patient, a condition, a particular medicine, or any other topic. There may well come a day when you must do this in response to a legal order, but there will also be plenty of times when you need to find a key piece of information, or simply want to spot check to ensure that all users are following the policies in place to protect patients’ PHI.

With an email archiving solution in place, healthcare providers not only position themselves to show compliance, review users’ actions, and meet current document retention requirements, they are able to build up a historical repository to meet future needs. The health care provider is also able to take advantage of the many benefits of an email archiving solution that are common across all enterprises, including storage, search, and business continuity.

All product and company names herein may be trademarks of their respective owners.

Full Disclosure: GFI Software Ltd. is an advertiser on EMR and HIPAA.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • John,

    “It is very rare for healthcare providers to send PHI by email as most of them use specialized messaging systems to do this.”

    YGTBKM! Rare? As you’ve shown, the definition of PHI gets more blurred by the day.
    My experience tells a completely different story and this is completely wishful thinking!
    I say, the sky is falling and this is the tip of the iceberg! Cuz, there’s a whole lot of bad communicatin going on out there…
    Awesome post, BTW. Blew me right out of my chair, Thanks, I think.

  • packets,
    Maybe the post should have said “intentionally send PHI.” I think very few do that.

    Unintentionally…well, that’s a whole other story.

  • John,
    If the send button is clicked, it’s intentional…No?
    You might be surprised how many practices wrongly believe Gmail is “encrypted” and therefore compliant.
    As you know, there is so much miss-information out there about secure e-communications and HIPAA/HITECH requirements.
    Example: The majority of Dental PM software conveniently allows an email to be sent from within the program, which uses that machines default email program (i.e., Outlook, Outlook Express, etc.), and because its launched from within their “HIPAA compliant” application, it must be okay, Right?
    Question: Does it take a single email sent with PHI to fail an audit and be non-compliant?
    This post reminded me, it’s better to be safe than sorry…so, when in doubt, don’t send!

  • packets,
    How many HIPAA audits have been done? I believe most are just in response to a reported incident.

    I agree that many really don’t understand that email (like Gmail) isn’t encrypted. That’s part of what I mean by not intentional. The other part is people’s misunderstanding of what’s PHI.

    To be honest though, I think most doctors actually do what you say in the last line. They avoid any patient communication in things like email just cause they don’t know.

  • Hi,

    I enjoyed the article.

    I do wish though that specific references were given when it is suggested that certain practices are “required” under on regulation or another. While I generally agree with the content of the article I have had a great deal of difficulty finding hard evidence to back up these types of claims. Thus, when I make a recommendation to my executive team for more resources it falls flat.


  • Hello…

    I’d gathered such information when reading this article. Email Archiving in the industry of healthcare might be very useful. Hope it will be implemented.


Click here to post a comment