Storing data is a vital part of doing business. Without customer data, product catalogs, and financial reports, organizations cannot function. Since becoming compliant with the US Health Insurance Portability and Accountability Act (HIPAA) in 2002, it has become increasingly crucial for businesses to store data securely because of the potentially severe consequences of security breaches. The body responsible for enforcement under HIPAA is the Office of Civil Rights (OCR). The OCR enforces HIPAA by launching investigations into whether organizations securely retain patient information.
This article aims to identify all the requirements that every business needs to store and secure data, whether customer information or financial documents. Although compliance with HIPAA is not required by law, it is essential to follow their best practices to keep data secure. Here’s what every organization needs to store data securely:
Enhanced Data Stores
Data that is more sensitive than what you might find in a standard document must be stored even more securely. The OCR calls this “enhanced data stores.” Examples of enhanced data stores are servers containing patient records, social security numbers, credit card numbers, and any other type of information that could cause significant problems if stolen. These enhanced data stores often store data with heightened security measures, including password-protected, encrypted with software/services, and logged anytime they are accessed. Data should not be stored on mobile devices unless the company has approved the mobile device for this purpose after it has passed an encryption benchmark test.
Document Retention/Destruction Policy
Documents containing sensitive information need to be stored securely, but this doesn’t mean you should keep them indefinitely. While many organizations will destroy records containing sensitive data once it is no longer needed, HIPAA requires you to document when and how your company destroys these documents, as well as a method of tracking why they are destroyed. This means a document retention policy must exist for every organization to protect patient confidentiality. It cannot be an informal system where employees who have access to patient records will experience just self-reporting the destruction of documents they have deemed unnecessary at the time. In addition, each copy being destroyed must be marked before it is shredded. Otherwise, it can be destroyed so that there’s proof that the document existed and that it was crushed under company policy.
Electronic Protected Health Information (ePHI) Policy
Businesses must also have a plan for any ePHI stored on electronic media to comply with HIPAA. This includes computers, hard drives, flash drives, phones, and tablets. In addition to the apparent need for secure storage of these items when they are not being used, you’ll also need a policy regarding how employees can use these devices while at work. Although many jobs today require employees to conduct some business away from the office, your organization must enforce rules regarding accessing sensitive information outside work hours or on personal devices.
Minimum Necessary Policy
HIPAA also mandates that healthcare providers and other covered entities limit their disclosure of protected health information (PHI) to only those who require it. This means that there should be a clearly outlined policy explaining who is authorized to see what pieces of PHI and why they need access. The minimum necessary standard prevents employees from unnecessarily sharing patients’ PHI with others or spreading medical information within the company. If you don’t have an existing policy in place, make sure your organization follows this best practice as soon as possible. It may seem like a hassle now, but it will save your organization from unnecessary legal expenses and protect patient confidentiality.
Have a Written HIPAA Policy in Place
For any business to store data securely, they must have policies that indicate how the organization will meet all HIPAA requirements. These policies should be created by someone knowledgeable about HIPAA regulations, ideally the security officer. Any business that does not make its policies would need to follow the guidelines set out by HIPAA to remain compliant. Organizations must designate who has access to PHI (Patient Health Information) and take necessary precautions to ensure this information is secure from unauthorized disclosure or use, including password protection and protection against viruses and malware on devices containing PHI.
Encryption and Password Management
Data stored on laptops, desktops, tablets, and smartphones must be encrypted for security purposes. This includes emails containing sensitive information, which should be encrypted if traveling outside your organization’s network. In addition to encryption, passwords need to be managed according to a password management policy. Many employees will use their username or last name for email logins rather than coming up with a unique password each time. These passwords put your organization at risk because hackers can easily guess them using tools like LastPass. Your password management policy should include a list of requirements for creating secure passwords that hackers cannot assume using standard algorithms.
Network Security
Hackers are becoming increasingly more sophisticated, so companies need to keep their data secure. One of the best ways to do this is by implementing a network security policy. A good policy should include:
- Changing default passwords on network-connected devices like routers and firewalls.
- Using antivirus software.
- Restricting access to critical systems (like payroll).
- Requiring all users who work offsite to connect via VPN when possible.
Many businesses also implement cloud computing services like Dropbox or Google Drive, which can be problematic because these services may not offer the same level of security as your internal servers. It’s recommended that you constantly research any third-party services before implementing them in your company to ensure that you’re getting the best security possible for your organization.
Employee Training
Employees are one of the most significant risks facing any organization because they can easily damage or expose sensitive data if their behavior isn’t appropriately managed. This is why it’s important to implement training sessions for employees that educate them on internal policies like HIPAA and how to protect patient confidentiality. Many companies will also train employees about good password security (e.g., always create unique passwords) within their network security policy. You should also require all employees who work remotely to take online training courses before starting work to understand what needs to be done to secure company data.
Businesses need to take specific steps to secure their data. These include implementing a minimum necessary policy, using encryption and password management, putting a network security plan in place, and requiring user training courses. By following these best practices for securing company data, organizations can make sure that they are meeting regulatory standards and protecting sensitive information from the risk of exposure.