Explore TransVault™

HIPAA compliant migrations

Could your migration risk compliance?

Over the years organizations have struggled to interpret, define and successfully apply information security and retention policies.  The health sector is not alone in this challenge.

HIPAA demands that appropriate security guards are put into place to avoid personal health information being put into the wrong hands or being inadvertently altered or destroyed.

This applies to the situation where data is at rest and in flight – which of course includes the scenario where data is being migrated to a new platform.

There are also the general concerns that most organizations have when moving data, which include ensuring completeness and fidelity, such that the results of any future eDiscovery could be rendered unreliable and unacceptable when they are needed most, for example, when trying to win or defend a court case.

Critically, where the process of consolidating (migrating) existing data records is executed without a firm handle on the compliance issues and pitfalls at stake, the move could significantly compromise a successful outcome.

Likewise, a compliance-led migration that is not people-centric in its approach will result in a significant productivity impact to busy health care workers.

TransVault addresses key areas that every healthcare organization should think about as it moves its data to a new platform.

The big thing for me was the quality of the TransVault migration. Aside from ensuring staff could still access their emails, we have requirements around email retention consistent with most organizations. We also need to be consistent with regulatory and legal requirements to keep certain email records fully intact and discoverable, and not compromised as a result of the move.

Michael Day
Vice President of Information Technology
Daughters of Charity Health System

Read the case study

Clear Visibility

If your aim is to make your chosen new archive or email platform a one-stop shop for email HIPAA compliance, Information Governance and eDiscovery, you should start with a very clear picture of the legacy email records you have and where it resides. 

Inadvertent exclusion of legacy archived data is commonplace, with typical culprits including:

  • Broken archives (for example, where data exists in the archive but is no longer accessible via conventional links),
  • Backups and failover copies of archive stores (e.g. in off-site locations),
  • Individual users’ archives (i.e. PST files). These are also notoriously difficult to track and can exist on local systems as well as on network shares.

Only once you have a firm grip on what data you have and where it is, can you start to move it and manage it in accordance with your data retention needs (it is typically the governing state that determines how long each different type of protected health information (PHI) record is retained).

Any data ‘left behind’ on network servers or personal laptops risks being forgotten about and unprotected, massively compromising the ongoing security of PHI.

Secure Transfer

Protecting your data ‘in transit’ is a vital component of being HIPAA compliant.

Consider how you are going to transfer your data and seek the necessary security assurances.

For example, if your move involves interim steps, such as writing to PST files, physically shipping them to a cloud service and then having a third-party responsible for uploading them to the correct target mailboxes, the separate steps of creating the pre-requisite PST files and writing them to disk, and then performing the reverse at the ‘receiving end’ introduces a potential for loss of chain-of-custody and risk of inadvertent mistakes or malicious tampering – even if on-disk encryption is used.

An end-to-end network-based transfer that moves your data direct from the source archive to target over a secured network connection is perhaps a more desirable option as it eliminates the potential for human error and human intervention.

Good Data Governance

HIPAA demands physical, administrative and technological standards are put into place in order to prevent client data from getting into the wrong hands.

Having emails ‘end up’ in the wrong place post-migration can have adverse information governance consequences.

Here are some examples of issues which should be addressed as you migrate:

  • How will legacy archives be matched up to the right owners – e.g. following a surname-change through marriage?
  • Will emails that have been deleted suddenly re-appear post migration or end up in the wrong folder? This can happen if the migration does not take into the account the current status of shortcuts to archived items as they exist in users’ mailboxes.
  • If you plan to migrate a legacy journal archive into say, Microsoft Office 365, will all the data be fully protected and discoverable in the new Office 365 compliance model? This includes BCC’d recipients and those individuals that were part of a distribution list?
  • Are there safeguards to correctly identify the owners of PSTs?

Assured

Can you vouch that your data move has been carried out in accordance with HIPAA demands – and can you prove it?

Regardless of the migration approach taken, it is vital to be able to prove that:

  • Your email records have remained unchanged throughout the migration process.
  • All data has been successfully and securely tracked through to receipt by the next stage or custodian (e.g. where using Microsoft Drive Shipping).
  • All migrated data and related metadata – especially journal archives where these are to migrated – is properly reconstructed and discoverable in the new platform. For example, Microsoft explicitly prohibits the use of a single user’s In-Place Archive for storing items belonging to multiple users.  Apart from this contravening Microsoft licensing models, it has an impact on securing and searching data during any eDiscovery exercise.

Having these assurances means that potentially sensitive patient information has been handled in a manner which allows no doubt that it could have been accidentally or deliberately tampered with or exposed to unauthorized parties.

Also, following successful migration of your new platform, it is best practice to comprehensively manage the disposition of emails ‘left behind’.

Seamless For Staff

Neglecting the needs of busy healthcare workers when migrating archives can have a hugely negative effect on productivity, and ultimately impact the wellbeing of patients, where every second can count.

Your chosen migration route should ideally take place with minimal downtime and no negative impact on staff.   And, as outlined in point 3, it should ensure all the right data is migrated accurately, for all the right people.

We always advise that staff are consulted in what data is migrated, and fully briefed on how to access their archives post-migration.

You benefit when you work with TransVault™

  • Certified by Microsoft™
  • Unparalelled scalability
  • Content level control
  • Manage and migrate content in line with policies
  • Fully compliant – complete chain-of-custody
  • Advanced control
  • Runs on-prem or in Azure
  • Proven in over 1,750 enterprise migrations

“TransVault has been very helpful on this complex issue of EV Notes to EV Exchange migration planning. Outstanding support from very knowledgeable engineers. Thank you!”

Salim Othman - Bluesource Information Ltd

“Thanks very much for the support provided to a fledgling TransVault engineer; much appreciated!”

Derek Lewinson - EMC

“I have to say that I have been impressed by TransVault's agility and flexibility throughout our Office 365 migration project”

Messaging Specialist - Large IT Services Company

“One of the biggest challenges in archive migrations is that there is always something different. I can go to TransVault and my problem goes away very quickly. I've worked with many new partners in Symantec and we've never had the support like we do from TransVault. I've yet to see another partner who can deliver like that.”

David DeMings - Symantec

“I'm not sure if you have visibility on this, but wanted to drop a quick note of THANKS for your help in getting such quick support and turnaround. It was very important to our client, and I think they were impressed that TV really stepped up and took responsibility for getting the job done.”

Dan Sullivan - US Amplify

“TransVault has pioneered the migration market space and has produced a benchmark whereby all migration companies are measured.”

Dennis Wild - Product Manager, Archiving (IAP) at Hewlett-Packard

“You guys are legend!!! Thanks very much!!!!!!!!!!!!!!!!”

Max Massioni - Consultant, Bluesource

“I figured I'd share some feedback regarding TransVault. I must confess that these migration rates are certainly amazing now that the processes are running. A good average throughput comes to just roughly under 20GB per hour. Not one other tool in the market produces these results! I guess I couldn't keep this to myself.”

Chris Mathe - Account Executive, US-Amplify

“Archive migrations are technically (and politically) challenging projects. Our archiving expertise, combined with our project management methodologies and Transvault's advanced archive migration capabilities, enable us to meet customer requirements that are completely out of reach for any sort of "brute force" approach ”

JD Creedon - GlassHouse

“We're one of Microsoft's go-to partners for migrations to Office365. TransVault enables us to add significant value for both Microsoft and our customers by selectively migrating archived mail directly to Office365 along with mailboxes and live mail.”

Jerry Martin - Core BTS

“TransVault's partner certification a challenging and tough yet well written exam for a terrific product.”

Ben Shorehill - Insentra

“TransVault Insight has been designed and developed by a team that understands the business needs of orgs. This team has worked with large global 2000 enterprise customers with 100ks of employees dispersed across multiple global server sites.”

Andrew Moffat - Founder of Educom (Original author of EAS)

“On Monday morning our users came in to find all their e-mails and address books intact and fully functional. We could just get on with business as usual.”

Eugene vanVueren - IT manager - Webber Wentzel Bowens

“I would say that the project was very well co-ordinated and went about as smooth as it can go!”

John Twilley - Senior Network Engineer - Catalina Marketing

“I would like to give you all a huge thank you for all your hard work and effort that was put into finding such a speedy solution to migrating Japanese messages. This quick solution has put us in a seriously good light with our client. You guys have an unbelievably professional team and are an absolute pleasure to work with.”

Warren Marks - Senior Engineer - SOARsoft Africa