This article started by stating that federal regulations require that all email communication between the "company" and the "employee" must be archived. No where in the HIPAA Security Rule is this a requirement unless the email contains Individually Identifiable Health Information (IIHI). It may be a "company" policy to archive all email traffic (as a catch-all), but it seems to me that this approach is indicative of "sloppy" planning that will manifest itself in other compliance issues where "catch-alls" simply don't work. Even email archiving (unless it is file-to-file encrypted) is not a guarantee of HIPAA Security Rule compliance.

I understand that the thrust of this article was to purpose outsourcing as a reasonable solution to a complex problem, and it may very well be, but it is not OK to begin on a false premise.

This does not serve the HIPAA related members, many of whom are struggling to understand and implement policy.