One of the most challenging aspects of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is understanding how to store sensitive data. This is partly because the US Department of Health and Human Safety (HHS) has not provided a specific set of HIPAA data storage requirements that companies need to follow. Instead, the various HIPAA rules impact data storage in one way or another. Read on to learn what you need to do.
Demystifying the HIPAA Data Storage Requirements
Healthcare providers and other businesses that process patient data are lucrative targets for cybercriminals. The sensitive payment and treatment data they store can be valuable on the black market, and it can also be used to extort businesses or even individual clients. This blog will break down all HIPAA file storage requirements, including:
- Specifications of the Privacy Rule targeting file and data storage, use, and disclosure
- Specifications of the Security Rule involving risk analysis and three kinds of safeguards
- Specifications of the Breach Notification Rule controlling for the aftermath of attacks
- Specifications of the Enforcement Rule pertaining to non-compliant data storage
By the end of this blog, you’ll precisely understand how to store your files in compliance with HIPAA, and we’ll provide resources from the HHS (and us!) to help keep you safe.
HIPAA File Storage Under the HIPAA Privacy Rule
The first rule within the HIPAA framework, and the basis for all other HIPAA rules, is the Privacy Rule. It was first proposed as a standalone rule in 1999, then reached its first final state in 2000. Significant updates to the rule have occurred in 2013, then most recently in 2020. Across its many stages and edits, the rule’s primary function has remained the same: designating which forms of data need to be protected and the basic requirements for what protection must include.
The Privacy Rule doesn’t just restrict access to data. It also guarantees that certain parties enjoy privileges concerning that data, such as easy access to it and notice of any instances of use or disclosure by or to other parties. This sets the stage for all other HIPAA data storage rules, along with regulations for data processing or transmission over secure and unsecured networks.
Controlling (Electronic) Protected Health Information
The specific files and other media that HIPAA data storage requirements pertain to are those that the Privacy Rule defines as “Protected Health Information” (PHI). According to the Privacy Rule Summary, this includes all identifiable information about a patient that also includes:
- Any information about the individual’s past, present, or future health conditions
- Any information of or pertaining to healthcare services provided to the patient
- Any information related to past, present, or future payments for care provided
If this information is connected to the name, age, or any other biographical or demographical information about the individual, it must be protected. If a document is de-identified, it may lose PHI status and be shared or used in ways it otherwise could not be as PHI.
Critically, PHI includes both physical records and files and their electronic counterparts, which are defined as electronic PHI (ePHI). The Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 designated ePHI as a protected entity alongside PHI.
Restrictions and Permissions for Use and Disclosure
To protect PHI and ePHI, the Privacy Rule includes specifications that restrict the use and disclosure of PHI to a select few use cases. Per the Privacy Rule Summary, these include:
- Permitted uses and disclosures – PHI and ePHI must be stored in such a way as to restrict all access to and use of it. There are exceptions in the following circumstances:
- Use by, or disclosure to, the subject of the PHI/ePHI or their representative
- Uses or disclosures needed for treatment, payment, or healthcare operations
- Uses or disclosures for which the subject has reasonable opportunity to object
- Uses or disclosures that are incidental to other permitted or required use cases
- Uses or disclosures undertaken for public benefit projects or in the public interest
- Uses or disclosures of limited data sets needed to complete approved research
- Required uses and disclosures – PHI and ePHI also need to be stored in such a way as to facilitate access and use cases that are required. These include the following:
- Uses or disclosures to the subject or requested by the subject of the PHI
- Disclosure to select government agencies or law enforcement agencies
- Minimum necessary disclosure – Finally, PHI and ePHI need to be stored in such a way as to restrict permitted and required access by the minimum necessary principle.
These requirements directly impact the locations and configurations for storing all PHI and ePHI, as companies need to monitor access closely to ensure it’s permitted or required.
HIPAA File Storage and the HIPAA Security Rule
The other primary prescriptive rule in the HIPAA framework with direct impacts on data storage is the Security Rule. Initially proposed in 1998, it did not reach its final form until 2003. Like the Privacy Rule, it has also experienced significant changes since its inception, including in 2010 and most recently in 2013. Since its inception, it has had the same function: building on the protections of the Privacy Rule and specifying procedures to reduce potential breaches.
In particular, the Security Rule breaks down into four “general rules” or sub-rules:
- Ensuring the confidentiality, integrity, and availability of all PHI and ePHI
- Identifying and mitigating reasonable threats to integrity and confidentiality
- Protecting against reasonable threats of misuse or disclosure of PHI/ePHI
- Ensuring compliance with Privacy and Security rules across the workforce
There are two sets of responsibilities dictated by the Security Rule concerning data storage: implementation of robust threat and vulnerability management and three kinds of safeguards.
Security Threat and Risk Analysis Requirements
The first HIPAA security responsibility that impacts data storage does so in an indirect way. The risk analysis requirements of the Security Rule prescribe an extent of visibility critical to places in which PHI and ePHI are stored and the configurations of those locations. Companies need to monitor for vulnerabilities or inherent weaknesses in storage, along with threats or ways in which hackers might compromise PHI/ePHI. Relationships between them define risk.
Per the Security Summary, companies need to continuously monitor for risk, gauging how likely any given threat is to occur and the potential impact it is expected to have. The HHS provides robust guidance on risk analysis, including toolkits it has developed with the National Institute for Standards and Technology (NIST) and other experts and stakeholders in the field.
Administrative, Physical, and Technical Safeguards
Beyond the general rules and risk analysis of the Security Rule, the other impact it has on data storage comes from the safeguards it requires. Per the Security Rule Summary, these are:
- Administrative safeguards – Data storage security begins with management and top-level governance, including five controls that apply unilaterally across the organization:
- Establishing and maintaining programmatic security management processes
- Designating security personnel to manage operations and oversee other staff
- Implementing information access management to monitor or restrict data access
- Implementing workforce training management to optimize staff security readiness
- Ensuring workforce security awareness through data analytics or assessments
- Physical safeguards – Data storage security also requires physical restrictions on hardware and software connected to PHI and ePHI, including two controls:
- Restricting entrance to and proximal access within facilities storing PHI/ePHI
- Limiting access to workstations and devices storing or connected to PHI/ePHI
- Technical safeguards – Data storage security also requires advanced, technological methods to further prevent inappropriate access, including four controls:
- Implementing access controls to further restrict access to and within the software
- Regulating audit protocols for system-wide assessments at frequent intervals
- Monitoring for data integrity, ensuring no data is improperly altered or deleted
- Ensuring transmission security through strict monitoring of all network traffic
These controls build on those of the Privacy Rule to round out HIPAA’s prescriptive protections for PHI and ePHI. Data storage is only compliant with HIPAA if it follows all of them seamlessly.
HIPAA Compliant File Storage Breach Notification
Finally, one more HIPAA rule has an indirect impact on data storage: the Breach Notification Rule. Rather than specifying particular ways in which PHI and ePHI need to be stored, it prescribes protocols for reporting on any breaches in those conditions. Even the companies with the most stringent safeguards are capable of being attacked. And when it happens, you’ll need to report on the compromised data.
These guidelines are especially critical given the rise in cloud computing and cloud storage for PHI and other sensitive data. The HHS provides specific guidance on cloud computing in the form of a Q&A that addresses many companies’ concerns about storing PHI and ePHI remotely. It’s possible to store PHI remotely in a HIPAA-compliant way. Still, companies need to vet all cloud storage providers carefully before trusting them with PHI, then assess them regularly to ensure security.
Breach Notification Requirements Impacting All Data
If PHI or ePHI is improperly stored or otherwise exposed, breaking the Privacy or Security Rules, notice must be provided to three different parties, with the following specifications:
- Individual notice – Parties impacted by the breach must be notified as soon as possible and no later than 60 days after the breach’s discovery. Notification methods include:
- First-class mail sent to each impacted party, or email notice for paperless clients
- Notice posted on the company’s website for at least 90 days, along with a toll-free number, if there is insufficient contact information for ten or more individuals
- Secretary notice – The HHS secretary must be notified, following specifications for Breach Reporting. These protocols differ depending on the scale and severity of the breach:
- Notice within 60 days of the year’s end, if fewer than 500 people are impacted
- Notice within 60 days of breach discovery if more than 500 people are affected
- Media notice – Furthermore, if 500 or more people within a defined geographical location are impacted, the company must notify local media outlets in that region.
These specifications may impact the storage considerations companies choose, such as preferring storage with greater visibility that would make a breach apparent quicker.
HIPAA Compliance Data Storage and Enforcement
Finally, the Enforcement Rule directly relates to HIPAA data storage in that it establishes stakes for failing to comply with the Privacy, Security, or Breach Notification Rules and requirements. If your company fails to store data correctly, the civil monetary penalties may include:
- Level 1 – $119 – $59,522 dollar fines if the entity “did not know” about violations
- Level 2 – $1,191 – $59,522 dollar fines if the violating entity had “reasonable cause”
- Level 3 – $11,904 – $59,522 dollar fines if there was “willful neglect,” with correction
- Level 4 – $59,522 dollar fines if there was “willful neglect,” but without correction
An annual limit of $1,785,651 applies across all fines, capping the cost of non-compliance for the most serious offenders. Also, if the enforcement process suggests there is criminal misuse, the Department of Justice (DOJ) will investigate and may enforce its own criminal penalties:
- Level 1 – Up to one year imprisonment for intentional misuse with reasonable cause
- Level 2 – Up to five years imprisonment for misuse of PHI under false pretenses
- Level 3 – Up to ten years imprisonment for misuse of PHI for personal gain
Now, let’s take a quick look at whether these fines (and all of HIPAA) apply to your company.
Do HIPAA Data Storage Requirements Apply to You?
One final consideration about HIPAA rules and requirements for data storage is whether they even apply to your company. If you’re directly involved in healthcare or operate adjacent to the healthcare industry, there’s a good chance you’re considered a covered entity. These include:
- Healthcare providers – These include private practices of doctors, dentists, psychologists, etc.; group care facilities like hospitals, clinics, or nursing homes; pharmacies, and select retailers.
- Health insurance plans – These include administrators and distributors of healthcare payment plans, such as health insurance companies and healthcare maintenance organizations (HMO).
- Health clearinghouses – These include service providers who traffic in nonstandard or standardized health data, including processing, translating, transmitting, or storing PHI and ePHI.
Beyond these parties, HIPAA also applies to the business associates of covered entities who may come into contact with PHI or ePHI. Examples include attorneys or accountants who store or process covered entities’ data. These parties must sign HIPAA business associate contracts.
How to Avoid the Penalties of HIPAA Non-Compliance
To recap, HIPAA data storage requirements are not a standalone rule. Instead, they’re a combination of requirements and considerations across all four HIPAA Rules. Full compliance with these can be challenging, especially for newer businesses or those with more modest resources devoted to IT and cyberdefense. RSI Security offers a suite of HIPAA compliance services to help protect your data and keep your clients safe. Contact us today to get started!