Healthcare organizations are subject to the Healthcare Insurance Portability and Accountability Act (HIPAA), which means HIPAA compliant storage requirements must be met for storing electronic protected health information (ePHI).
To ensure HIPAA compliance, a medical practice must adhere to the guidelines outlined in the HIPAA Security Rule and HIPAA Privacy Rule.
Even if no data breach of medical records or individually identifiable health information occurs, failure to meet HIPAA compliant storage requirements can still result in substantial fines being issued by the Office for Civil Rights of the Department of Health and Human Services (OCR).
These range from $100 to $50,000 per violation and up to $1.5 million per year.
Which Organizations Are Subject to HIPAA Compliant Storage Requirements?
All healthcare providers, health plans and healthcare clearing houses are subject to HIPAA requirements and must meet the data storage security standards outlined in the legislation.
These businesses are known as HIPAA Covered Entities (CEs), to whom HIPAA rules are applicable.
In addition, any person or business that stores, transmits or otherwise has access to a Covered Entity’s ePHI data also must comply with HIPAA.
These bodies are known as Business Associates (BAs) and include accountants, lawyers, email encryption services and cloud storage providers.
Like Covered Entities themselves, Business Associates must take adequate security measures to ensure the data security of all ePHI in the BA’s possession.
In addition, BAs must sign a Business Associate Agreement (BAA) with the Covered Entity, which must clearly outline the responsibility of each party with regards to meeting the HIPAA compliant storage requirements for medical records and ePHI data.
What Are HIPAA Compliant Storage Requirements?
Under the HIPAA Security Rule, CEs and BAs must ensure technical, physical and administrative safeguards are in place to protect ePHI data. In addition, the HIPAA Privacy Rule mandates that the integrity of ePHI data is maintained by limiting access to the minimum number of people possible.
Further to this, the HIPAA Breach Notification Rule requires CEs and BAs to promptly notify both patients and the OCR should a data breach occur.
Though all Rules must be followed, it is the technical, physical and administrative safeguards of the Security Rule in particular that CEs and BAs need to shore up in order to meet HIPAA compliant storage requirements.
Let’s consider these safeguards one at a time.
Technical safeguards concern how ePHI is protected via digital means.
Crucially, all data must be encrypted to NIST standards – both when the data is at rest and in motion – once it’s outside the CE’s internal storage systems.
Encryption ensures medical records, individually identifiable health information and all other ePHI data is indecipherable and therefore unusable to any unauthorized party.
The HIPAA Journal outlines healthcare organizations’ further HIPAA compliant storage requirements with regards to technical safeguards.
(Image source: hipaajournal.com)
As the name suggests, physical safeguards are concerned with physical access to the location and physical equipment where ePHI is stored.
They must be implemented at any cloud-based storage facility the CE or BA uses, as well as the computers and/or servers that are housed internally.
Physical safeguards must also cover workstation security and mobile device security.
(Image source: hipaajournal.com)
Administrative safeguards refer to the policies and procedures organizations implement to manage and maintain ePHI data security.
Importantly, they require that a Security Officer and a Privacy Officer be assigned to oversee the implementation.
Regular, ongoing risk assessments are a crucial part of administrative safeguards, as are the development of contingency plans and restricting third-party access.
(Image source: hipaajournal.com)
“Required” and “Addressable” Safeguards
You’ll notice that certain safeguards are labelled “required” while others are “addressable” in the lists above. So, what’s the difference?
Well, “required” HIPAA safeguards must be applied, no matter what – so that’s clear enough.
“Addressable” safeguards, on the other hand, do not necessarily have to be implemented, provided the organization can justify the decision.
For example, employee training is an “addressable” safeguard.
This means that if, as a HIPAA Covered Entity, you are confident that all your employees are fully aware of all HIPAA compliant storage requirements, well-versed in cybersecurity best practices and know how to spot phishing emails and other attacks, then you may decide that additional training is not necessary.
However, if your organization suffers a data breach as a result of employee negligence and it is discovered that it could have been prevented if the employee had better training, then the OCR is likely to fine you more heavily for the breach than if you could demonstrate that you had done everything in your power to ensure your workforce were professionally trained and educated.
In any case, if you decide not to implement any “addressable” safeguards, you must document your decision in writing with an explanation as to why the decision was taken with regards to the “required” risk assessment you carried out.
What is needed to be HIPAA compliant?
To maintain a HIPAA compliant workplace, it's important to have the following in place:
- No matter the size of your organization, it’s important to document your HIPAA policies, procedures, and standards of conduct.
- Designate a compliance officer and compliance committee to ensure that employees are trained and educated on the policies you've put in place.
- Conduct regular internal monitoring and audits of your policies, process, and standards.
- Enforce your HIPAA policies, procedures, and standards of conduct with clear disciplinary guidelines.
- Have a system in place to enable you to respond promptly to any detected breaches and implement corrective actions.
HIPAA Compliant Storage from Central Data Storage
For HIPAA compliant cloud-based data storage and disaster recovery, Covered Entities need to work with Business Associates that specialize in HIPAA.
At Central Data Storage, we’ve been working to keep healthcare organization’s ePHI data safe and secure since 2008. We specialize in providing storage, backup and recovery and encrypted file sharing solutions for HIPAA Covered Entities.
We are approved by third-party auditors as 100% HIPAA compliant and our solution has beyond-military-grade security features, protecting you against all data threats.
Want to learn more about how we can help you meet your HIPAA compliant storage requirements? Call 1-888-907-1227, email email@example.com, or schedule your free backup and recovery data assessment today.