Meeting HIPAA and Sarbanes-Oxley’s Discovery Requirements

Topics: HIPAA Compliance

For very different reasons, federal healthcare and financial statutes require strict archiving and e-discovery procedures. How can you optimize your email archives with legal and compliance considerations in mind?

Does a legal discovery or proof of compliance request send your company into a whirlwind? Or can you quickly tap your archives and produce the information requested, confident that the data is complete and that chain of custody has been preserved from end to end? What if that discovery request calls for information from email-based records?

By now, you’re probably familiar with the data protection and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX) and other federal regulations that govern your business. But that governance extends well past the data—whether paper-based or electronic—that circulates daily through your company, as well as all the information stored in your archives.

Social Media: Save It All?

Social media apps have also created a nightmare for those charged with managing records. Email long ago (well, in cyber terms, anyway) became an acknowledged form of recording important business information. Now, social networking threatens to further strain data management departments already bursting at the seams. In fact, market researchers at Gartner predict that by 2014 “social networking services will replace email as the primary vehicle for interpersonal communications for 20 percent of business users.”[1]

Overwhelmed with data, and with more on the way, companies struggle to gather, sort, record and classify the ongoing barrage. And much of the information is structured differently from data generated by more traditional sources. The landscape has changed so quickly that many companies just sit on data, afraid to remove it from their websites or archives. But as time-sensitive e-discovery requests occur more frequently, is that really the right approach? After all, your archived data must be auditable and accessible, two goals that may remain outside your reach if you keep everything or if you fail to optimize your archives to accommodate email and other electronic forms of information.

Wait, Don’t Hit “Delete”

Every type of business seems to be reaching out and touching the public via social networks, blogs, email and other so-called Web 2.0 applications. And the public is responding. But do those communiqués constitute must-save records? Before you can develop a rock-solid archiving strategy that includes discoverable email records, you need to know what data to protect and how to protect it. The first step? Know the law. Information privacy, data-integrity protections and retention obligations are essential elements of both HIPAA and SOX. Both set forth guidelines and, in some cases, mandates for handling email records.

HIPAA specifically sets standards to preserve the integrity of email-based patient information, secure its transmission and control access to it. The act’s Security Rule governs any information that an organization “creates, receives, maintains or transmits in electronic form.” At the heart of its requirements: encryption and privacy.

Under SOX, any email that contains or accompanies documents that contain discoverable information about your business must be retained and is auditable. That means you must compile, archive and secure email histories. How long you keep the email records in your archives depends on the nature of the record. Bank statements and accounts payable ledgers, for instance, must be retained for seven years, while deeds, contracts and accountants’ audit reports are permanent records.

Get Up to Speed—Now

If your company is like most, you’ll need to optimize your archiving game plan to meet the rigors of HIPAA and SOX, among other regulations. Here’s what to do:

1. Identify vital information. By now, you should know the type of information litigators or regulators might request. Be sure you give it top priority in your archiving scheme.

2. Control your information. When an e-discovery request comes your way, you must be able to navigate any and all of your physical and digital records.

3. Develop an archiving policy. Determine how your company should handle email-based records, and spell it out.

4. Build a retention schedule. Every record has a lifespan. Develop and implement a sensible and legally credible schedule that defines how your organization must retain each type of record. Consider all relevant legal, regulatory, business and compliance obligations.

5. Ensure a secure chain of custody. You need constant and consistent knowledge of and access to all records. What’s more, you may very well have to offer proof to litigators that email records have been preserved and secured every step of the way.

6. Bring in a partner. You may not feel you have the IT resources to ensure that your archives can accommodate email records. Consider turning to a trusted third party to bring in the archiving expertise and intimate knowledge of HIPAA and SOX that you need.

No matter what form they take, your archived records must be in order, easily accessible and secure to meet HIPAA and SOX requirements and fulfill e-discovery requests.

[1] “Gartner Reveals Five Social Software Predictions for 2010 and Beyond,” 2/2/10,

Get to Know SEC Rule 17a-4

A whole slew of regulations should inform your archiving strategy. But you’d be wise to pay particular attention to the Securities and Exchange Commission’s Rule 17a-4, which brought Wall Street to its knees a few years ago. It requires that data be stored so it’s easily recoverable for an audit. Under the rule, you must have written and enforceable retention policies, a searchable index of all stored data, viewable and readily retrievable data and offsite storage of data.

Iron Mountain Recommends: The Partnership Advantage

The right partner makes all the difference in how you construct your archives. It can also help you keep email records well protected and easily accessible. With these goals in mind, select a partner that:

  • Understands regulatory requirements. The regulatory environment is fluid and dynamic. It’s virtually impossible to keep up with all the twists and turns. Wouldn’t you rather hand that responsibility over to a trusted expert so you can concentrate on your core business?
  • Makes security a priority. Regulations like HIPAA and SOX demand that you protect data end-to-end. Your partner must have stringent security measures in place to guard against breaches and ensure proper chain of custody.
  • Tracks data. Your data must be auditable—and that means accessible. A worthy partner can label, index and track your files.

Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.

Related Content:

2012 Outlook: Compliance and Your Data Backup Services

Design the Optimal Healthcare Records Retention Schedule

How to Select a Standout Data Backup Partner