There are so many choices to make these days – Meaningful Use certified EHRs (Electronic Health Records), a capable practice management system, and even what computers you want your practice using. Taking HIPAA on top of all this can seem like a daunting task.
One of the most important technology tasks left out by many companies these days is a good data backup plan. Most of us associate data backup with an external hard drive, tape system, or maybe even some flash external storage. But remember, you’re dealing with both vital information to your organization as well as sensitive personal health information. Ensuring this information is secure and available in the event of an emergency are top priorities.
Perhaps it’s time to turn to a data backup service. Since HIPAA deemed secure data backup mandatory. Check out the rest of the article after the link.
Requirements for HIPAA Compliant Backup Providers
It’s time to be a little blunt. Many (unfortunate souls) will read and not fully understand HIPAA. But an honest attempt at meeting the requirements doesn’t excuse you from not complying. Additionally when you do understand it, the requirements are not all that bad.
As far as data backups are concerned, there are three required components, or safeguards, under HIPAA that are necessary for a compliant backup provider.
It is important to note that even that no matter how we use the data backup or recovery, it is required these safeguards hold up for any organization.
First are the technical requirements of encryption, deletion & destruction of data. (Here comes some tech lingo.) You must have a minimum 128-bit encryption of your data, and it must be encrypted both in transit, and at rest on the server or desktop. Deletion and destruction of data refers to the encrypted data, and the necessity of destroying data no longer in use. As well, any data that has been at rest not in an encrypted state, must be destroyed. Destruction of data can be done according to the Department of Defense’s standards, set forth in the National Industrial Security Program Operating Manual.
Second are the physical requirements, or issues related to physical infrastructure such as locks and secure access areas. The Physical Safeguards in the HIPAA Security Rule include standards for facility access controls, workstation use and security and device and media controls. These manifest in as pass codes on mobile devices, portable devices, and in office workstations, security systems for the physical location where information is stored, and how the physical media (hard drives, flash drives, optical disks, magnetic tapes, etc.) moves inside and outside of the facility in which it is stored.
Third, a number of administrative requirements must be observed in order to meet HIPAA compliance. The standards cited in the Security Rule include a provider’s security management process, assigned security responsibilities, workforce security, information access management, security awareness training and contingency planning.
Backup and Recovery Best Practices
Now that we have a better understanding of the requirements under HIPAA, let's take a look at what makes a compliant vendor and their responsible practices.
It’s time to look at backup service providers. The key to backup and recovery is to ensure data can be restored for a window of six years beyond the last edits. There are three key factors that help ensure HIPAA compliance here:
1. The data backup plan – How, what, when, and where your data will be backed up.
2. A disaster recovery plan – How you plan to recover all the data.
3. An emergency mode operations plan – How the company will operate in the event of an emergency.
On a side note all companies should have these 3 basic plans.
Verify these three plans exist, your backup provider tests and updates the plans regularly, and ensure they have the policies, procedures and capabilities in place to restore information in its own storage infrastructure. This means you won’t be out of luck in case of an emergency.
How Your Backup Service Provider Can Help You
Having a backup, a provider, and the assurance they are HIPAA compliant is not the end of the line. You and the others at your company need to understand how backup services will aid your practice in staying compliant yourself.
Suppose you were hit by Hurricane Sandy – lights out, computer systems not accessible, documentation files gone – and you know that won’t go well with HIPAA. So, if you're lucky enough to still have your hardware (or unfortunately have to buy new) you opt to restore your data from your backup provider. Phew!
Advantages to using a data backup service are numerous. For one, your data is stored off-site, which lets you breathe easy in case of blackouts and malware or viruses. Furthermore, automatic data backup is a relief, seeing as you don’t have to worry about having to backup data periodically on site or trying to remember when you last kicked off that backup.
Not to mention, these services normally boast multiple file versioning, so multiple versions of specific documents and files are kept off-site. Backup of servers is done overnight, and your data is encrypted.