HIPAA compliant migrations

Clear Visibility

If your aim is to make your chosen new archive or email platform a one-stop shop for email HIPAA compliance, Information Governance and eDiscovery, you should start with a very clear picture of the legacy email records you have and where it resides. 

Inadvertent exclusion of legacy archived data is commonplace, with typical culprits including:

• Broken archives (for example, where data exists in the archive but is no longer accessible via conventional links),
• Backups and failover copies of archive stores (e.g. in off-site locations),
• Individual users’ archives (i.e. PST files). These are also notoriously difficult to track and can exist on local systems as well as on network shares.

Only once you have a firm grip on what data you have and where it is, can you start to move it and manage it in accordance with your data retention needs (it is typically the governing state that determines how long each different type of protected health information (PHI) record is retained).

Any data ‘left behind’ on network servers or personal laptops risks being forgotten about and unprotected, massively compromising the ongoing security of PHI.

Secure Transfer

Protecting your data ‘in transit’ is a vital component of being HIPAA compliant.

Consider how you are going to transfer your data and seek the necessary security assurances.

For example, if your move involves interim steps, such as writing to PST files, physically shipping them to a cloud service and then having a third-party responsible for uploading them to the correct target mailboxes, the separate steps of creating the pre-requisite PST files and writing them to disk, and then performing the reverse at the ‘receiving end’ introduces a potential for loss of chain-of-custody and risk of inadvertent mistakes or malicious tampering – even if on-disk encryption is used.

An end-to-end network-based transfer that moves your data direct from the source archive to target over a secured network connection is perhaps a more desirable option as it eliminates the potential for human error and human intervention.

Good Data Governance

HIPAA demands physical, administrative and technological standards are put into place in order to prevent client data from getting into the wrong hands.

Having emails ‘end up’ in the wrong place post-migration can have adverse information governance consequences.

Here are some examples of issues which should be addressed as you migrate:

• How will legacy archives be matched up to the right owners – e.g. following a surname-change through marriage?
• Will emails that have been deleted suddenly re-appear post migration or end up in the wrong folder? This can happen if the migration does not take into the account the current status of shortcuts to archived items as they exist in users’ mailboxes.
• If you plan to migrate a legacy journal archive into say, Microsoft Office 365, will all the data be fully protected and discoverable in the new Office 365 compliance model? This includes BCC’d recipients and those individuals that were part of a distribution list?
• Are there safeguards to correctly identify the owners of PSTs?

Assured

Can you vouch that your data move has been carried out in accordance with HIPAA demands – and can you prove it?

Regardless of the migration approach taken, it is vital to be able to prove that:

• Your email records have remained unchanged throughout the migration process.
• All data has been successfully and securely tracked through to receipt by the next stage or custodian (e.g. where using Microsoft Drive Shipping).
• All migrated data and related metadata – especially journal archives where these are to migrated – is properly reconstructed and discoverable in the new platform. For example, Microsoft explicitly prohibits the use of a single user’s In-Place Archive for storing items belonging to multiple users.  Apart from this contravening Microsoft licensing models, it has an impact on securing and searching data during any eDiscovery exercise.

Having these assurances means that potentially sensitive patient information has been handled in a manner which allows no doubt that it could have been accidentally or deliberately tampered with or exposed to unauthorized parties.

Also, following successful migration of your new platform, it is best practice to comprehensively manage the disposition of emails ‘left behind’.