Document management and storage is a universal business concern. This issue is even greater for healthcare organizations. As a HIPAA-covered organization, you must keep both your electronic and paper records secure. Many small or medium-sized healthcare organizations store documents with a storage company. The rent is inexpensive, and employees can easily access the storage unit. However, are storage companies the best solution? Let’s look at some of the issues you should consider before renting a storage unit.
In the case of a breach of documents kept in a storage unit, your healthcare organization would take sole responsibility. This is because the storage company is a contractor, not a business associate (BA) bound by HIPAA. A BA is any outside organization that creates, receives, maintains, or transmits protected health information (PHI). A storage company doesn’t maintain your organization’s records in this way. Therefore, they are not bound by HIPAA privacy, security, or breach notification rules.
However, if your storage unit picks up, transports, or stores PHI in a way that allows employees to access it, they are a BA. In this case, they must sign a business associate agreement.
Weak Physical Protection
Many public storage units do not have robust physical protection. They may have a fence that requires a key, punch code, or keycard to access the unit. However, someone may let a thief gain entry to the grounds by mistake. Most storage units are only protected by a lock, which a thief can cut off with wire cutters.
Public storage units are hotspots for criminal activity. If you store your sensitive documents at a storage unit, you run the risk of a break-in and theft. Since the storage company usually isn’t liable to protect your documents, they aren’t liable for thefts under HIPAA. Your organization alone would bear the responsibility.
Besides criminal activity, other disasters can befall your storage unit. This includes fire damage, water damage, insect/rodent damage, mold, and more.
Pay close attention to the storage company’s agreement. There may be a set amount of time you can be delinquent on your rent before the company puts your unit up for auction. There are many cases that this has happened to a healthcare organization, leading to lost medical records.
Storing documents containing PHI is easier said than done. You must keep PHI for at least six years (some states require longer) from the date it’s created to its last use. How you store this data for all those years is important, as you want to limit your risks and liabilities. Before you consider renting a storage unit, look into alternative solutions. Conduct a thorough assessment of the risks and liabilities before choosing a place to store your documents.