According to our friends over at the HHS, when dealing with sensitive personal health information, your data must be easily accessible, backed up, and, most importantly, protected.
So maybe it’s time for your practice to consider a data backup service, since HIPAA has deemed secure data backup mandatory.
Requirements for HIPAA Compliant Backup Providers
Lets be honest. Many of us have read the HIPAA compliance standards but don’t fully understand them. So let’s break this down, together.
There are three required elements, or safeguards, under HIPAA that are necessary for a compliant backup provider. Keep in mind these safeguards most hold up, even during a system crash.
First are technical requirements, including a minimum of 128-bit encryption, deletion and destruction of data, which has to meet the Department of Defense’s standards, set forth in the National Industrial Security Program Operating Manual.
Second are the physical requirements, or issues related to physical infrastructure such as locks and secure access areas. The Physical Safeguards in the HIPAA Security Rule include standards for facility access controls, workstation use, and security and device and media controls.
Third, a number of administrative requirements must be observed in order to meet HIPAA compliance. The standards cited in the Security Rule include a provider’s security management process, assigned security responsibilities, workforce security, information access management, security awareness training and contingency planning.
The U.S. Department of Health and Human Services provides a Security Series, which provides a more in-depth understanding of the three safeguards. We suggest checking these out before choosing a service.
Natural Disaster Recovery
When talking HIPAA compliance, it’s also important to note your system’s backup service capabilities. The key to backup and recovery is to ensure data can be restored for six years beyond any last edits.
As a practice physician, you should understand how backup services would benefit your practice in case of natural disasters.
For example, during the devastating tornado in Moore, Oklahoma, more than 2 million patient records we’re saved because providers used off-site backup servers to store patient data. This is a much different scenario to Hurricane Katrina, where havoc in hospitals was compounded by the loss of countless paper-based medical records.
Advantages to using a data backup service are numerous. For one, your data is stored off site, which lets you breathe easy in case of blackouts and malware. Furthermore, automatic data backup is a relief, seeing as you don’t have to worry about having to manually backup data periodically.
Not to mention, these services normally boast multiple file versioning, so multiple versions of specific documents and files are kept offsite. Backup of servers is done overnight, and your data is encrypted, a Security Rule requirement a number of practices struggle with.
If you keep all of these features in mind, you should be able to avoid harsh HIPAA penalties when purchasing a data backup service provider.
A version of this article was originally published on our sister site, Power Your Practice. Click here to read the original story.