Info You Can Use

HIPAA-Compliant Health Records: Paper vs. Electronic

As your hospital grows—or evolves through employee turnover—your employee health records are ever-expanding. And, according to OSHA, you must store employee medical records for at least the duration of the employee’s employment plus 30 years1. That means you are faced with an ever-increasing mix of paper records taking up valuable floor space or incurring off-site storage fees, along with electronic records demanding more and more hard-drive space and backup requirements. And all of this volume of information must be stored, secured, and easily retrieved in a HIPAA-compliant fashion.


To ensure that an individual’s health and medical information and records are private and protected, a federal law, called the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has associated rules about who can look at, receive, and use an individual’s health information. It also covers measures that must be taken to protect the confidentiality, integrity, and security of the information. Protected health information (PHI) includes things like patient records, laboratory results, and images such as MRIs, CAT scans, X-rays and more.

So how do you decide the most secure and cost-effective way to manage your employee health records? Here are things you must consider when storing paper or electronic employee health records.

Considerations for Storing Paper Employee Health Records2

The sheer volume of paperwork that must be managed for each hospital employee, volunteer, and contractor is a monumental task. The considerations around storing paper records range from the process employed to take a record from documentation to storage, all the way through the materials needed in order to manage those documents. Here are some of the things to consider from start to finish:

  1.  Follow a documented file retention policy including an off-site storage archival/retrieval policy.
  2.  Follow a process for tracking/logging the location of medical records and PHI while in use, transit or storage.
  3.  Medical records and PHI must be stored securely where there is controlled access:
    • Identify individual(s) with the authority to grant access to an area
    • Assign someone to manage and document access issues (keys, card swipe, keypad access) and change keypad access codes regularly
    • Store files in closed cabinets; no open shelves
    • Use locked cabinets if medical records and PHI are stored in hallways that are accessible by unauthorized individuals
    • Store records out of sight of unauthorized individuals, and in a locked room or building when not supervised or in use
  4.  Immediately report to superiors all incidents that may involve the loss or theft of these paper records.
  5.  Do not separate individual documents from the medical record and PHI.

Considerations for Storing Electronic Employee Health Records3

Electronic storage of records has been around for decades but requires a different set of rules since you’re dealing with bits and bytes rather than physical paper. Here are some things to consider when storing health records electronically:

  1.  Backup and Storage: Create a retrievable, exact copy of electronic protected health information, when needed, before  movement of equipment.
  2.  Media Re-use: Implement procedures for the removal of electronic protected health information from electronic media  before the media are made available for re-use.
  3.  Accountability: Maintain a record of the movements of hardware and electronic media and any person responsible.  In other  words, log all data migration and data provenance information.
  4.  Access: Put in place safeguards to protect health information, limiting access and sharing of electronic records.
  5.  Disposal: Follow policies and procedures on handling and final disposal of electronic health information records and the  media or hardware on which the records are stored.

Improving HIPAA Compliance for Employee Medical Records (EMRs) and PHI

With so many considerations, and so many files, it’s easy to imagine many ways an organization could fall into non-compliance.

According to Healthcare IT News, non-compliance is no small risk:  “The U.S. Department of Health and Human Services (HHS) means business. The Breach Notification rule has shifted from its ‘innocent until proven guilty’ mentality. Now, any unauthorized disclosure of PHI is presumed to be a breach until proven otherwise through a risk assessment. And organizations can be audited, with violations carrying a hefty price tag of up to $1.5 million per incident.”4

Therefore, it’s critical to have a secure system in place for getting electronic records into the hands of patients/employees, as well as to manage the volumes of PHI that circulate throughout the organization.

Secure Cloud Storage with Venato

While many healthCloud storage for HIPAA compliancecare organizations are turning to cloud storage solutions, Venato offers a one-two punch:  all the benefits of proactively managing and reporting employee immunizations and health events, plus secure, HIPAA-compliant storage of your employee health data.

From a labor-and-supplies costs standpoint, electronic files are undoubtedly the more economical and productive solution. In effectively using electronic records for your employees, you will need to store and transmit these types of files in a way that meets the security and privacy guidelines outlined by HIPAA.

Venato’s easy-to-use system manages, trends, and reports your staff immunizations, fit tests, TB tests, and health events. All of these records are automatically and instantly stored and backed up in compliance with HIPAA. The files are encrypted, stored behind a secure firewall, under full audit protection, and only available to users with appropriate access levels.

Venato is the electronic storage solution that gives hospitals the flexibility to access files quickly, wherever you are, and the confidence that data is stored in a HIPAA-compliant fashion.

Specifically, Venato enables you to:

  1.  Validate file-sharing activities so you can track who uploaded and accessed each file, and when it was accessed.
  2.  No longer worry about file size restrictions and free up data storage space for your IT department.
  3.  Access files remotely so that you are no longer bound to a specific building where a file cabinet is located.
  4.  Say goodbye to lost data. There’s no need to worry about missing pages or missing files or lost data – it’s all stored and  backed up by Venato instantly.
  5.  Be protected with enhanced encryption. Even though HIPAA does not explicitly require data encryption, it’s a must-have for  end-to-end security and is included in Venato with a unique encryption key that is not stored on the file-storage server, so  even if the server was compromised, your data would not be.
  6.  Enforce privilege-restrictions so only authorized users are given access.

Simplifying Occ Health is Venato’s mission.  With Venato you can:

  • Easily track, trend, and report immunization needs
  • Eliminate the administrative burden of managing, storing, and moving paper
  • Stop worrying about HIPAA compliance for your electronic files

We are so confident that you will love this product, we give all customers a 60-day money-back satisfaction guarantee. Most customers find that the product pays for itself merely in the cost savings of paper supplies and storage, alone. You can learn more about how Venato solves your occ health file management and storage challenges by attending an upcoming 30-minute webinar, and getting all of your questions answered.


1 Source:  OSHA:

2 Source:  Yale Policy

3 Source: Section 164.310 of HIPAA:

4 Healthcare IT News

Leave a Comment