HIPAA Storage Requirements Explained

Updated on June 28, 2021

By Marty Puranik

marty puranik 1

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most-profound accomplishments in protecting personal information in the last quarter-century. It legitimized user concerns over privacy in healthcare records and paved the way for the future of electronic protected health information (ePHI) – which is now the standard of just about every doctor’s office, hospital, and other medical facilities in the US.

Signed into law by then-President Bill Clinton in 1996, it is designed to protect healthcare information, which includes individual medical records.

But keeping EPHI safe just isn’t a job for online networks. How they are maintained physically and who can access them also are important matters.

Based on what a facility does, HIPAA has different standards for how it must protect information.

  • Doctors offices, surgery centers, hospitals, and the accounting wings of those facilities are known as covered entities.
  • Places that process patient data or otherwise support covered entities are known as business associates.

Security Rule’s Role in HIPAA Compliance

The Security Rule is a guideline of how organizations should create and maintain physical, administrative, and technical protections for ePHI. While the mandates are strict, the way in which they are carried out is left entirely up to each organization. HIPAA compliance covers a broad range and is based on the idea that since no two organizations have the same scope or purpose, it would be counterproductive to try and fit the square peg of compliance into the various-sized holes that define each entity’s way of doing business.

While there is some freedom of design, the Security Rule still outlines the following as basic tenets of how organizations should protect ePHI.  

  1. Verify that the electronic health records (EHS) produced, received, stored, or sent by the company are available, while kept securely and privately.
  2. Anticipate threats and create security to defend data against them.
  3. Create protections that will deny criminals the ability to use and/or disclose any compromised data.
  4. Ensure employees are trained to follow these guidelines at all times.

The Security Rule does not suggest nor value one form of security over another. It puts the task of compliance into the hands of the organizations protecting the data.

HIPAA-compliant storage safeguards

While the Security Rule does not detail how a company must protect its medical data, there are certain safeguards considered essential across the board. The following protocol should be in place either internally for your firm or present in any vendor you hire to maintain or manipulate ePHI material.

Technical safeguards

Integrity control – All health records and information are kept for a specific amount of time and disposed of in a certain way. These procedures must be part of your company’s processes and followed precisely. You should also employ tools that confirm data integrity and implement best practices to keep your medical records storage organized and efficient.

Audit controls – Audits might sound scary, but they are the perfect way to tell how close to perfection any system is running. Using audit software specific to your industry, you can run scheduled (or unscheduled) audits that analyze how well your data is being protected.

Transmission security – One of the quickest ways cybercriminals can access ePHI is by hacking your company’s network. Ensure that the appropriate firewalls and security measures are in place.

Access controls – Limiting access to ePHI to only those users and departments whose jobs functions are tied to them goes a long way to reducing unauthorized use.

Physical safeguards

Facility access – In line with the device protections above, clear, simple rules should be introduced and maintained to limit access to data centers where sensitive data is kept. Only authorized personnel should be able to enter a data center, and then only to perform specific tasks.

Workstation and device protections – This is an essential component in health-record protection in the modern age of technology. Specific language must be drawn up in regards to how devices that can access sensitive information are used. Are they shared or limited to a single user? Can they be removed from the office? When their functionality is at an end, are they destroyed or recommissioned? The life cycle of the device is nearly as important as that of the protected data.

Cloud providers and importance of the BAA

Many organizations employ outside vendors, many of them cloud providers, for ePHI protection. The Healthcare Industry Cybersecurity Task Force (HCIC) released a 2017 report that recommended using cloud computing for healthcare protection. This was particularly recommended for small businesses, as “smaller healthcare organizations often do not have the resources to fully staff a credible cybersecurity group.”

All business associates must sign a business associate agreement (BAA) when applying for HIPAA compliance. A critical part of this agreement concerns relationships with third parties. The BAA must make clear where all responsibility falls for data being kept in a cloud environment, what security protocol will be put in place, and what employees are allowed access to said data.

If cloud computing is used, then both the business associate and the cloud-computing hosts must undergo risk analysis and improve on areas of concern. The same is true of any third-party vendor that could possibly have access to healthcare information.

Trust is essential in HIPAA

Caring for the security of patients’ most personal data is not a burden to be taken on lightly. Maintaining a HIPAA compliant company is essential to keeping that trust and allowing your company to grow. Having a letdown that sees medical information fall into the wrong hands is not only a loss of confidence for your clients, but a breach of protocol with the federal government and a surefire way to see your future business suffer.

Marty Puranik co-founded Atlantic.Net from his dorm room at the University of Florida in 1994. As CEO and President of Atlantic.Net, one of the first Internet Service Providers in America, Marty grew the company from a small ISP to a large regional player in the region, while observing America’s regulatory environment limit competition and increase prices on consumers. To keep pace with a changing industry, over the years he has led Atlantic.Net through the acquisition of 16 Internet companies, tripling the company’s revenues and establishing customer relationships in more than 100 countries. Providing cutting-edge cloud hosting before the mainstream did, Atlantic.Net has expanded to seven data centers in three countries, with a fourth pending. 

The Editorial Team at Healthcare Business Today is made up of skilled healthcare writers and experts, led by our managing editor, Daniel Casciato, who has over 25 years of experience in healthcare writing. Since 1998, we have produced compelling and informative content for numerous publications, establishing ourselves as a trusted resource for health and wellness information. We offer readers access to fresh health, medicine, science, and technology developments and the latest in patient news, emphasizing how these developments affect our lives.