25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Compliance and Medical Records

Posted By on Jan 8, 2026

HIPAA compliance and medical records security go hand in hand because even a single medical record qualifies as a designated record set which is subject to the privacy and security protections of HIPAA.

Securing medical records requires more than compliance with the HIPAA Security Rule. Not all medical records are created, received, maintained, or transmitted electronically so it is important covered entities (and business associates where appropriate) review how medical records in other media are created, received, maintained, and transmitted within and by the organization.

The most effective way of doing this is to apply the risk analysis and risk management standards of the HIPAA Security Rule (§164.308) to all Protected Health Information regardless of media. This will enable compliance officers to develop more effective policies and procedures and train staff on how best to secure medical records when technological safeguards are not suitable in the circumstances.

This process not only enables organizations to better secure medical records, but also to know where they are. This is important because Protected Health Information can be maintained in more than one designated record set per organization, and multiple standards within the HIPAA Privacy and Security Rules require that Protected Health Information is available at all times.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Additionally, knowing where all medical records are will expediate the processing of individuals’ access requests. Failing to provide an individual with all the required information maintained by an organization can result in complaints to HHS’ Office for Civil Rights. Complaints can evolve into compliance reviews and civil monetary penalties for Right of Access failures.

The Issue of HIPAA Compliance and Medical Records Storage

Although HIPAA does not stipulate retention periods for medical records, other state and federal laws do. Some states have retention requirements of up to ten years, and although an organization might not provide services for residents of a state with long retention periods, AHIMA recommends all medical records are retained for at least ten years.

The issue this creates for HIPAA compliance and medical records storage is that, regardless of what retention period is applied, medical records have to stored securely yet still be available. To resolve this issue, many organizations have digitalized paper records and taken advantage of cloud storage solutions with virtually limitless storage capacities.

However, while the digitalization and cloud storage of medical records is a suitable solution for releasing physical storage space, it can create issues with retrieving unstructured data when required to comply with an individual’s access request and the cost of storage. For these reasons, it can be beneficial to implement a cloud archiving solution.

Cloud archiving solutions have the benefit of indexing records as they are archived in order to accelerate data searches. Some also de-duplicate records as they are archived to reduce the amount of storage space required and further accelerate data searches – enabling organizations to respond quickly to individuals’ access requests well within the allowed time.

HIPAA Compliance and Medical Records: FAQs

How is the best way to store non-digitized medical records?

The best way to store non-digitized medical records depends on the volume of data involved. Some organizations have the capacity to store small volumes of data on-site in compliance with the physical safeguards of the HIPAA Security Rule. Others may have to engage the services of a secure storage warehouse.

The problem with HIPAA compliance and medical records storage when organizations store non-digitalized medical records is that it is more complicated to retrieve Protected Health Information when it is needed for a permissible use or disclosure or when copies are requested by the subjects of the information.

Do storage services have to sign a Business Associate Agreement?

Storage services have to sign a Business Associate Agreement if Protected Health Information is among the data being stored. In such cases, the third party organization providing the storage services qualifies as a business associate and a Business Associate Agreement must be in place stipulating the compliance requirements of the third party organization.

This provision of HIPAA applies even when the third party organization does not have access to the Protected Health Information – for example, if physical data is only accessible via a key code known only to the covered entity or if a cloud service provider operates a “zero-knowledge” storage model for data stored in the cloud.

Why might data be stored in more than one designated record set?

Data might be stored in more than one designated record set for several reasons. It could be that some medical records are maintained on paper, while others are digitized. It may also be the case that some data is subject to enhanced HIPAA Privacy Rule protections (i.e., SUD records) or that different departments maintain their own records.

It is important to be aware what is considered Protected Health Information under HIPAA because a designated record set could contain a single item (i.e., a picture of a child on a pediatrician´s baby wall), while some information is only protected when it is maintained with individually identifiable health information.

What is the benefit of deduplication in the archiving process?

The benefit of de-duplication in the archiving process is that deduplication removes all duplicated content in medical records to reduce the volume of storage space required. For example, a long exchange of emails may include the same content multiple times; or, if multiple recipients are involved, the same image may be attached to dozens of emails.

How easy is it to retrieve archived data from the cloud?

The ease with which it is possible to retrieve archived data from the cloud is one of the reasons for cloud archiving’s popularity. Provided authorized individuals have an Internet connection and the appropriate credentials to access the cloud archiving service, retrieving data stored in the cloud is no more complicated than if it were stored on a local device.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist