It seems like you need to choose so many things these days – a user-friendly EHR, an efficient practice management system, and even what computers you want your practice staff to use.
Most of us associate data backup with a hard drive, or maybe even some flash external storage. But remember, you’re dealing with sensitive personal health information, and you want to make sure you don’t lose your data in the event of an emergency.
Perhaps it’s time to turn to a data backup service, you know, because HIPAA deemed secure data backup not optional.
See below for some assistance:
Requirements for HIPAA Compliant Data Backup Vendors
HIPAA compliant data storage doesn’t have to be overly complicated. First make sure the vendor you choose follows the HIPAA Security Rule. HIPAA compliance requires four safeguards, which “can help health care providers avoid some of the common security gaps that could lead to cyber-attack intrusions and data loss,” according to the Office of the National Coordinator for Health Information Technology (ONC).
HIPAA requires:
1. Administrative Safeguards
These actions, policies, and procedures help to prevent, detect, contain, and correct security violations related to electronic protected health information (ePHI). Conducting a security risk analysis and taking action to reduce identified risks remain essential.
2. Physical Safeguards
This addresses physical infrastructure such as locks and secure access areas, including protections against unauthorized intrusion and natural/environmental hazards for ePHI systems and physical buildings where the information is stored. Ensure your vendor has technology, policies and procedures that properly control access to ePHI.
3. Organizational Standards
A “covered entity” must have contracts or other specific arrangements with business associates that specify their access to ePHI.
4. Policies and Procedures
Make sure your vendor keeps written security policies and procedures for a minimum of six years (since creation or last effective date, whichever is later). These written standards should be reviewed and updated periodically “in response to environmental or organizational changes that affect the security of ePHI.” ONC says in their April 2015 Guide to Privacy and Security of Electronic Health Information.
You can also recommend favorite vendor reviews the National Institute of Standards and Technology HIPAA Security Rule Toolkit. Keep in mind the U.S. Department of Health and Human Services used the Health Information Technology for Economic and Clinical Health Act or HITECH Act to strengthen the HIPAA security and privacy rules in 2013.
Backup and Recovery Best Practices
Security is also about planning ahead. A data backup plan, a disaster recovery plan and emergency mode operations plan contribute to HIPAA compliance. The three plans together can reassure backup provider policies, procedures and capabilities can restore information in case of emergency.
Hopefully, this will also give you some peace of mind.
How Your Backup Service Provider Can Help You
Speaking of lower anxiety, a good HIPAA-compliant backup service offers additional benefits. Off-site data storage can allow you to breathe easier in case of natural disaster, power blackout or malware. Automatic data backup can mean you no longer have to worry about backing up data regularly on site. Furthermore, many service providers, including cloud-based data systems, store multiple versions of files at multiple locations for additional physical protection known as ‘data redundancy.’
Suggested:
Bonus: Here’s a detailed listing of additional HIPAA compliant hosting providers from HIPAAHQ.com
