Records Storage Laws: Ensuring You Stay Compliant

Securely storing your important information doesn’t just make business sense—for most records it’s the law. Ranging from financial to healthcare and a range of other industries in between, it’s important to be sure you’re taking steps to stay compliant with laws like HIPAA and GLBA.

In this video learn more about general storage necessities, retention periods for various types of records, where HIPAA and GLBA apply, tips for compliance, and different legal penalties for failing to comply.

Playing by the Rules and Regulations

While safeguarding stored information makes business sense, there are also multiple laws that require it. From healthcare providers to financial institutions and other companies that deal in financial products and services, it’s essential to account for laws like HIPAA and GLBA during records storage.

Data Storage and ArchivesStorage Compliancy Requirements

As a general rule of thumb there are several must-haves for ensuring compliancy during storage. Be sure to store with fire-supressant systems and to keep records secure when unattended.

At offsite records storage facilities, there typically are climate-controlled storage areas as well as 24/7 video monitoring and guarded premises.

Retaining Records

For most important information there are state and federal laws that outline how long records need to be retained. While requirements vary state by state, common records to retain include:

    • Medical Records and protected health information (PHI)
    • Financial Records like auditor’s reports, employee payroll records, financial statements, and general ledgers
    • Business Records like articles of incorporation, contracts and agreements, and legal correspondence
    • Employee and Personnel Records like COBRA records, accident report and injury claims
    • Insurance Records like fire inspections, safety records, and settled insurance claims
    • Real Estate Records like mortgages, contracts, and deeds
    • Patents, Copyrights, and Trademarks

HIPAA ComplianceHIPAA Compliance for Healthcare

The Health Insurance Portability and Accountability Act (HIPAA) was passed and signed in 1996. HIPAA was written to protect and prevent abuse of protected health information (PHI) by requiring providers to use physical and technical safeguards.

Records Affected by HIPAA

HIPAA lays out a specific list of medical records and PHI that need secure storage and destruction. Common medical records include:

    • Patient histories
    • X-rays & diagnostic images
    • Billing & insurance information
    • Medications
    • Demographic data
    • Legal Records

Medical Record Retention

Medical Record / PHI Recommended Retention Time
Diagnostic Images – Adults 5 years
Diagnostic Images – Minors 5 years after age of majority
Disease Index 10 years
Fetal Heart Monitor Records 10 years after age of majority
Master Patient / Person Index Permanently
Operative Index 10 years
Patient Health / Medical Records – Adults 10 years after most recent use
Patient Health / Medical Records – Minors Age of majority plus statute of limitations
Physician Index 10 years
Register of Births Permanently
Register of Deaths Permanently
Register of Surgical Procedures Permanently

HIPAA Noncompliance Fines

Violation Type Minimum Penalty Maximum Penalty
Unknowing

$100 per violation – annual cap of $25,000 for repeats

$50,000 per violation – annual cap $1.5 million for repeats
Due to reasonable cause $1,000 per violation – annual cap of $100,000 for repeats $50,000 per violation – annual cap $1.5 million for repeats
Willful Neglect – corrected $10,000 per violation – annual cap of $250,000 for repeats $50,000 per violation – annual cap $1.5 million for repeats
Willful Neglect – uncorrected $50,000 per violation – annual cap of $1,000,000 for repeats $50,000 per violation – annual cap $1.5 million for repeats

GLBA Compliance

The Gramm-Leach-Bliley Act (GLBA) was passed in 1999. GLBA applies to financial institutions and requires them to take measures to protect consumer’ PII.

Storage Compliancy Tips

SecureBe sure to always know where sensitive information is and store it securely:

    • Ensure records are stored in areas with environmental protections in case of fire or flood
    • Keep cabinets or storage areas locked when unattended
    • Store computers with sensitive information in a secure area and use strong passwords for access
    • Avoid storing sensitive information on computers and devices with an internet connection
    • Maintain regular backups and store archived records at secure offsite facilities or separate servers
    • Keep a careful inventory of your company’s sensitive records and the equipment where they’re stored

Disposal Compliancy Tips

Besides storage, secure disposal of records is also mandated by GLBA:

    • Consider hiring an offsite storage facility to manage retention times and shred the stored records in-house once they’re ready for disposal.
    • Use cross-cut shredding so records can’t be reconstructed. When hiring destruction services, ensure that you receive a certificate of destruction for proof of compliance.
    • Destroy and shred hard drives, disks, CDs, magnetic tapes, and any other electronic media. Be wary of software to recover formatted drives as well as the cost of degaussing versus destruction.

GLBA Noncompliance

Failing to comply with GLBA can bring severe criminal and civil penalties including up to 5 years in prison. To prevent theft and ensure GLBA compliance, offsite records storage facilities typically will have on-premise security personnel and use 24/7 video monitoring.

Are You in Compliance?

Join Amazon, Google, and a range of other companies we’ve helped to find both secure and compliant storage solutions for their projects.

We work with a nationwide network of providers in order to help connect you with the best services to meet your budget, schedule, and other requirements. For help finding your ideal storage option, give Record Nations a call at (866) 385-3706 or fill out the form to the right.