Every business, regardless of size, has document management and storage concerns. Medical organizations have even a greater difficulty in determining proper document management strategies, since they have to comply with HIPAA as they store both their paper and electronic records.  

Many small to medium sized healthcare organizations seek to solve this document management problem with their local public storage company. Rent is inexpensive and the records are easily accessed when needed by an employee of the practice. But, is this the best solution?

Below are a few issues to consider when determining whether your organization should utilize a public storage unit.

  • LEGAL LIABILITY:

o   Under the Omnibus Rules’ a Business Associate (BA) is defined as an outside organization that creates, receives, maintains, or transmits Protected Health Information (PHI).  Under this definition, your local public storage unit is usually NOT considered to be BA.  Additionally, the US Department of Health and Human Services (HHS) has commented that since public storage units do not truly maintain records on behalf of their tenants, they are NOT Business Associates, they are merely contractors and are not bound by HIPAA’s Privacy, Security or Breach Notification Rules. Legal liability in the event of a breach, remains solely on the healthcare organization storing their records in the public storage unit.

  • LIMITED EXCEPTION:

o   A limited exception to the definition of a storage unit as a BA does exist. For example, if your storage unit is in the business of picking up, transporting and storing PHI, such that employees could have access to your PHI, then they WOULD be considered a Business Associate and be required to sign a Business Associate Agreement.  

ACTIVITIES THAT MAKE STORAGE UNITS A RISKY CHOICE

  • CRIMINAL ACTIVITY:

o   A healthcare organization doesn’t get to choose its neighbors when storing its records in a public storage unit. Unfortunately, criminal activity is rampant all over the country at public storage units.  Since, public storage companies are not generally liable under HIPAA for protecting the security and privacy of your stored documents, they are also not liable for any theft that occurs under HIPAA. Your organization would bear the sole responsibility under HIPAA for the stolen information/records. 

  • WEAK PHYSICAL PROTECTION:

Many public storage units have weak physical protection of their facilities.  They may have a fence that requires a key, punch code or key card to access the unit; however, it is possible that some well-intended individual could unknowingly let a thief access the outside of the unit, accidently.  Additionally, how is your unit protected once someone is able to gain access to the storage unit grounds?  Most storage units are protected only by a metal lock, which can easily be cut off with a pair of wire cutters that can be purchased at a hardware store.

  • DELINQUENT PAYMENT:

o   Read your agreement with your storage unit company carefully.  Chances are, there is a set amount of time you are allowed to be delinquent on your rent before the unit goes up for auction. This means all the contents of your unit will be sold to the highest bidder. Don’t think this can happen to you? Think again. There are many cases reported where this has happened that lead to the unauthorized access to medical records.

  • ACCIDENTAL DAMAGE:

o   HIPAA requires that you maintain PHI for a period of 6 years (although some states require higher retention) from date of creation or last use. Again, public storage units pose a risk to your ability to comply with this requirement.  Here are some threats to think about:

  • Fires
  • Sprinkler Damage
  • Flooding
  • Mold
  • Insect/Rodent damage
  • Pesky Neighbors
  • ENVIRONMENTAL RISKS:

o   I know I already mentioned this; but remember all the criminal activity that is happening at storage units across the country? Meth labs are common in storage facilities creating an environmental risk to your stored PHI.

Storing documents containing PHI is mandatory and complex.  How you store the information is very important to limit your legal risks and liabilities in case a breach should occur. 

So how do you store your numerous documents containing PHI? Before considering a physical storage facility, there are many alternative storage solutions. Be sure your organization conducts a thorough assessment of its risks and liabilities when choosing where to store your old documents and records!