Risky Business: Should You Keep Documents in Storage Units?

Facebook
Twitter
LinkedIn

Document management and storage is a universal business concern. This issue is even greater for healthcare organizations. As a HIPAA-covered organization, you must keep both your electronic and paper records secure. Many small or medium-sized healthcare organizations store documents with a storage company. The rent is inexpensive, and employees can easily access the storage unit. However, are storage companies the best solution? Let’s look at some of the issues you should consider before renting a storage unit.

Legal Liability

In the case of a breach of documents kept in a storage unit, your healthcare organization would take sole responsibility. This is because the storage company is a contractor, not a business associate (BA) bound by HIPAA. A BA is any outside organization that creates, receives, maintains, or transmits protected health information (PHI). A storage company doesn’t maintain your organization’s records in this way. Therefore, they are not bound by HIPAA privacy, security, or breach notification rules.

However, if your storage unit picks up, transports, or stores PHI in a way that allows employees to access it, they are a BA. In this case, they must sign a business associate agreement.

Weak Physical Protection

Many public storage units do not have robust physical protection. They may have a fence that requires a key, punch code, or keycard to access the unit. However, someone may let a thief gain entry to the grounds by mistake. Most storage units are only protected by a lock, which a thief can cut off with wire cutters.

Criminal Activity

Public storage units are hotspots for criminal activity. If you store your sensitive documents at a storage unit, you run the risk of a break-in and theft. Since the storage company usually isn’t liable to protect your documents, they aren’t liable for thefts under HIPAA. Your organization alone would bear the responsibility.

Environmental Damage

Besides criminal activity, other disasters can befall your storage unit. This includes fire damage, water damage, insect/rodent damage, mold, and more.

Delinquent Payment

Pay close attention to the storage company’s agreement. There may be a set amount of time you can be delinquent on your rent before the company puts your unit up for auction. There are many cases that this has happened to a healthcare organization, leading to lost medical records.

Storing documents containing PHI is easier said than done. You must keep PHI for at least six years (some states require longer) from the date it’s created to its last use. How you store this data for all those years is important, as you want to limit your risks and liabilities. Before you consider renting a storage unit, look into alternative solutions. Conduct a thorough assessment of the risks and liabilities before choosing a place to store your documents.

The HIPAAtrek platform enables you to assess security risks in your organization. To learn more, request a demo or contact us at support@hipaatrek.com.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Telehealth

Is the Telehealth you’ve adopted secure?

Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure.

Read More »
Double Extortion

Double Extortion-What it is and how you can prevent it

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »