Email compliance – Never give up, never surrender!

Karl Palachuk

Email has long been the “killer app” of the Internet. Discussion forums are awesome. FTP and even WWW are awesome. Facebook and LinkedIn are amazing. And on and on.

But email has always dominated. Everyone uses it. Everyone CAN use it. Eventually, everyone who tries the Internet and decides to continue using it uses email. Everything else is just a little bit more work or a little bit less convenient.

Love-EmailUsing email is comfortable and easy. For people who don’t love technology and don’t want to just dive in and explore all the details, email is accessible. Everyone can do it: attorneys, doctors, pharmacists, accountants, school administrators, insurance agents, psychologists, ministers, printers, ad execs, and stock brokers. Everyone.

The problem with the warm, fuzzy love of email is that it is frequently used inappropriately. I just had a discussion with a coaching client who supports an eight-person company with a 132 GB Exchange store. And you know what that means: One or two people account for eighty percent of that total. And as my friend tells it, archiving hasn’t worked. Moving things to public folders hasn’t worked.

That client, like so many others, simply refuses to use email in a rational way. They could be posting files to a cloud share and emailing the links. If they didn’t have 80GB OST files, they could move their email to a hosted service. They could set up a SharePoint site. Or a hundred other solutions.

The alternatives to bloated email are better and more numerous than ever. But, unfortunately, size is the oldest and least critical problem that business owners face.

The modern problem with these rogue email users is that they use email in ways that are often illegal and unsafe. Some of these are sins of omission (e.g., not archiving) and some are sins of commission (e.g., emailing patient records).

Unfortunately, managing email is no longer a minor chore that you can ignore. First, it has become more complex. Second, your clients are required to handle email in specific ways. And third, you are sometimes required to take actions that enforce your clients’ behavior. All of that adds up to several layers of “maintenance” that didn’t used to be part of our job.

Best Practices, Industry Standards, and Legal Requirements

Best-PracticeThe great irony of email management is that some “best practices” from the past would keep all of your clients legal and in compliance with their industry’s standards. However sensitive data is defined in a specific industry, for example, the best practice of 'not emailing sensitive data' would solve a lot of problems. Or encrypting that email. And, obviously, a good archiving/backup system will solve most of the rest of the problems.

The problem for consulting companies today is that many clients appear not to care. I am shocked at how complacent many doctors are about HIPAA – especially the HITECH Act. HITECH (the Health Information Technology for Economic and Clinical Health Act regulates the technical requirements for HIPAA (the Health Insurance Portability and Accountability Act). The penalties are quite severe.

Small medical facilities are particularly prone to believing that they are immune from this act. It’s not that they think it doesn’t apply. They think they’re too small for the government to go after. For five years now we’ve been warning them that the government will crack down. But crackdowns have been rare and so it’s hard for doctors to get very worried.

Well, times they are a-changing. You – the IT provider – are now responsible for the data you maintain. You need to be HIPAA trained and you need to document your processes. And all the email systems you touch need to have HIPAA-compliant processes. So you have become the next layer of maintenance! Here’s what I mean.

In the old days, maintaining an Exchange server consisted of:

  • Make sure Exchange services are running
  • Apply patches as needed
  • Maintain a good backup

But now the world is a lot more complicated. That old stuff is now one simple process called maintenance. It addresses the immediate internal needs of the client. Please add to this an additional five layers of administration:

  • Filter for Spam with hosted Spam filter
  • Archive if required by industry requirements or law
  • Encrypt if required by industry requirements or law
  • Monitor breeches and report as required by industry or law
  • Maintain your own internal processes sufficient to comply with the highest combined requirements of all of your clients

More and more industries are either regulating themselves or being regulated by a government. As I mentioned earlier, some of the restricted behavior should be best practices or common sense. But remember where we started the discussion: Email is easy!

When you encrypt the email, it’s not as easy. When you store things in a secure cloud environment, it’s not as easy. Clients already know how to email – and attach x-rays if necessary.

Stand Your Ground – And Provide Services

Rules-and-RegulationsMany consultants have not really thought about the changing environment for email. They extended the maintenance to include archiving, encryption, etc. And they’ve argued with their clients about best practices. But most have backed down and let the client keep doing what they’re doing.

HIPAA is the biggest example of how this can get you in trouble. In other countries, such as Canada, the most obvious example is the requirement that certain data stays within the Canadian borders. You can be fined for violating these laws. In other words, you can be fined if you do not properly enforce these rules with your clients.

Clients literally cannot do whatever they want to do. Those days are gone.

I recommend that you take a stand and enforce your position on this. If you’ve been like your clients and assumed that you’re too small to worry about, you may have a big surprise coming. It’s much better to set standards that are compliant with all the industries you serve. That’s what data centers do. Their web sites are plastered with all their certifications for HIPAA, ISO, AICPA/SOC, SOX, SSAE, and so forth.

It’s hard to buy non-compliant data center services. That’s the way your business should be. Only offer and maintain HIPAA compliant email services. Include archiving in your pricing. Include encryption in your pricing.

I firmly believe that we are entering an era where you will be charging extra for clients who refuse to comply with best practices, common sense, and their own industry’s requirements. When a client asks why it’s so much money, you can simply say that it pays for your liability insurance policy.

Of course I also encourage you to train your clients. Hold classes on encryption, archiving, and best practices. Explain why you do what you do. Educate them on the advantages as well as the compliance. You’ll convince a few, educate a lot, and maybe even gain some new clients.

In terms of the eight elements of email maintenance listed above, I encourage you to start with number eight: Put your house in order. Document your compliant services. Have a process for reporting and mitigating breaches. Encrypt, archive, and spam filter. Once you’ve put all that in place, you can get back to the old maintenance routine that just makes money every day.

What you can’t do is give in to clients who are lackadaisical about rules and regulations. This is now a topic of regulation that increases your liability and puts your business in danger if you ignore it. I’m not encouraging you to set standards just to keep your clients in line: I want you to make money AND avoid penalties that quickly exceed the annual profit of your business.

Good luck out there.