The Health Insurance Portability and Accountability Act (HIPAA) set forth industry standards for the proper handling of protected health information (PHI). PHI is any individually identifiable health information that the Department of Health and Human Services (HHS) classifies into 18 HIPAA identifiers. The HIPAA Security Rule requires the confidentiality, integrity, and availability of PHI to be maintained. As such, organizations working with PHI must take the proper measures to secure PHI, while ensuring that the data can be easily accessed by authorized individuals. To maintain this standard HIPAA data storage requirements must be upheld.
What are HIPAA Data Storage Requirements?
When determining what HIPAA data storage requirements are appropriate for your organization, it is important to ensure that HIPAA Security Rule standards are adhered to. The Security Rule requires organizations working with PHI to implement physical, administrative, and technical safeguards.
Physical: relates to the security of your physical site, accomplished through alarm systems and locks.
- Physical Site Access: access to your physical site should only be granted to those that require access as part of their job. In addition, HIPAA data storage requirements mandate that paper records are stored in locked rooms or locked filing cabinets.
- Device and Workstation Security: access to devices storing PHI should be limited to only individuals that require access. As such, it is important that devices are password protected. To prevent unauthorized access, unlocked devices should not be left unattended and screens should not be viewable to the public.
Administrative: relates to policies and procedures for the proper handling of PHI.
- Data Access Management: the HIPAA Privacy Rule requires PHI to be accessed in accordance with the “minimum necessary” standard. This requires administrators to delegate different levels of access to PHI data depending on an employee’s job function.
- Risk Analysis: to be HIPAA compliant, data storage practices should be assessed annually to ensure that protections are adequate. Conducting a risk analysis allows you to determine if there are any gaps in security that could potentially expose PHI to unauthorized individuals.
- Cloud Provider BAA: if you are using a cloud provider to store PHI you must have a signed business associate agreement (BAA) before it is permitted to use their service. A BAA limits the liability for both parties as it mandates specific security measure to be taken to protect PHI. It also determines which party is responsible for reporting a breach should one occur.
Technical: relates to security measures such as encryption, firewalls, and data backup.
- Integrity Controls: there must be security measures in place protecting the integrity of PHI. HIPAA data storage requirements mandate that organizations must protect PHI from improper destruction or manipulation.
- Audit Controls: to prevent and quickly detect threats to PHI, audit controls monitor access to PHI. Each employee must have unique login credentials, enabling data access to be attributed to specific individuals. An access log must be maintained to establish normal access patterns for each individual, as well as attempted unauthorized access. An access log allows insider threats to be detected since you can determine if an employee is accessing data outside of their regular patterns.
- Transmission Security: data in transit should be encrypted to prevent unauthorized access. Encryption masks sensitive data so that it is unreadable without a decryption key.
Organizations working with PHI have an obligation to comply with HIPAA data storage requirements. Organizations that fail to do so put their patients, clients, and businesses in jeopardy. Healthcare breaches can be extremely costly once you consider breach notification, remediation efforts, HIPAA fines, downtime, and damage to your reputation. To protect your business and your clients, it is essential to be HIPAA compliant.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!