Securely storing your important information doesn’t just make business sense —for most records it’s the law. Ranging from financial to healthcare and a range of other industries in between, it’s important to be sure you’re taking steps to stay compliant with laws like HIPAA and GLBA.
In this post learn more about general storage necessities, retention periods for various types of records, where compliance laws such as HIPAA and GLBA apply, tips for compliance, and different legal penalties for failing to comply.
Playing by the Rules and Regulations
While safeguarding stored information makes business sense, there are also multiple laws that require it. From healthcare providers to financial institutions and other companies that deal in financial products and services, it’s essential to account for laws like HIPAA and GLBA during records storage.
Storage Compliancy Requirements
As a general rule of thumb there are several must-haves for ensuring compliancy during storage. Be sure to store with fire-suppressant systems and to keep records secure when unattended.
At offsite records storage facilities, there typically are climate-controlled storage areas as well as 24/7 video monitoring and guarded premises.
For most important information there are state and federal laws that outline how long records need to be retained. While requirements vary state by state, common records to retain include:
- Medical Records and protected health information (PHI)
- Financial Records like auditor’s reports, employee payroll records, financial statements, and general ledgers
- Business Records like articles of incorporation, contracts and agreements, and legal correspondence
- Employee and Personnel Records like COBRA records, accident report and injury claims
- Insurance Records like fire inspections, safety records, and settled insurance claims
- Real Estate Records like mortgages, contracts, and deeds
- Patents, Copyrights, and Trademarks
HIPAA Compliance for Healthcare
The Health Insurance Portability and Accountability Act (HIPAA) was passed and signed in 1996. HIPAA was written to protect and prevent abuse of Protected Health Information (PHI) by requiring providers to use physical and technical safeguards.
Records Affected by HIPAA
HIPAA lays out a specific list of medical records and PHI that need secure storage and destruction. Common medical records include:
- Patient histories
- X-rays & diagnostic images
- Billing & insurance information
- Demographic data
- Legal Records
Medical Record Retention
|Medical Record / PHI||Recommended Retention Time|
|Diagnostic Images – Adults||5 years|
|Diagnostic Images – Minors||5 years after age of majority|
|Disease Index||10 years|
|Fetal Heart Monitor Records||10 years after age of majority|
|Master Patient / Person Index||Permanently|
|Operative Index||10 years|
|Patient Health / Medical Records – Adults||10 years after most recent use|
|Patient Health / Medical Records – Minors||Age of majority plus statute of limitations|
|Physician Index||10 years|
|Register of Births||Permanently|
|Register of Deaths||Permanently|
|Register of Surgical Procedures||Permanently|
HIPAA Noncompliance Fines
|Violation Type||Minimum Penalty||Maximum Penalty|
$100 per violation – annual cap of $25,000 for repeats
|$50,000 per violation – annual cap $1.5 million for repeats
|Due to reasonable
|$1,000 per violation – annual cap of $100,000 for repeats||$50,000 per violation – annual cap $1.5 million for repeats|
|Willful Neglect – corrected||$10,000 per violation – annual cap of $250,000 for repeats||$50,000 per violation – annual cap $1.5 million for repeats|
|Willful Neglect – uncorrected||$50,000 per violation – annual cap of $1,000,000 for repeats||$50,000 per violation – annual cap $1.5 million for repeats|
The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions and requires them to take measures to protect consumer’ PII.
Storage Compliancy Tips
- Ensure records are stored in areas with environmental protections in case of fire or flood
- Keep cabinets or storage areas locked when unattended
- Store computers with sensitive information in a secure area and use strong passwords for access
- Avoid storing sensitive information on computers and devices with an internet connection
- Maintain regular backups and store archived records at secure offsite facilities or separate servers
- Keep a careful inventory of your company’s sensitive records and the equipment where they’re stored
Disposal Compliancy Tips
Besides storage, secure disposal of records is also mandated by GLBA:
- Consider hiring an offsite storage facility to manage retention times and shred the stored records in-house once they’re ready for disposal.
- Use cross-cut shredding so records can’t be reconstructed. When hiring destruction services, ensure that you receive a certificate of destruction for proof of compliance.
- Destroy and shred hard drives, disks, CDs, magnetic tapes, and any other electronic media. Be wary of software to recover formatted drives as well as the cost of degaussing versus destruction.
Failing to comply with GLBA can bring severe criminal and civil penalties including up to 5 years in prison. To prevent theft and ensure GLBA compliance, offsite records storage facilities typically will have on-premise security personnel and use 24/7 video monitoring.
Are You in Compliance?
We’ve helped a range of companies to find both secure and compliant storage solutions for their needs. For help finding your ideal storage option, give us a call at (716) 852-2203 or (800) 859-2203 or fill out the form here to speak to a specialist.
How do your and your Business manage your documents and records? How do you stay compliant? We love hearing about different strategies and techniques that works for others.