8 Things Your Data Backup Needs to be HIPAA Compliant

Posted by John Feucht on Jul 24, 2014 6:00:00 AM

Cloud_securityWhen I speak to clients in the healthcare field (medical practices, dental offices, health insurance administrators), there’s one topic that comes up again and again: HIPAA compliance. Business owners and managers want to know how to put the right technical safeguards in place to secure their customers’ protected health information (PHI)—and meet all the guidelines of the Health Insurance Portability and Accountability Act (HIPAA).

But even with the best of intentions, most struggle with HIPAA compliance. After all, they’re trying to run a business or serve their patients, not become full-time IT experts.

“Of course, I do my best to protect the sensitive health information we handle. I take that responsibility very seriously,” is a typical statement I hear from business owners in the healthcare field. “But when it comes to these technical requirements for HIPAA compliance, I’m not sure where to even start.”

One element of HIPAA that is particularly confusing is data backups.

For businesses looking to ensure full HIPAA compliance and system security, proper data backup is crucial. When it’s done right, data backup provides an incredible “security blanket” in the event of a disaster, while still providing the utmost protection for all protected health information (PHI).  When it’s done wrong (or not done at all), a business could permanently lose all of its client data should a device malfunction. Or worse, the valuable data could end up in the wrong hands, captured by a malicious party through a security loophole.

With stiff HIPAA penalties and the loss of client or patient trust, such an event could easily put a small business underwater.

In technical terms, HIPAA describes its data backup requirement as “Retrievable exact copies of electronic protected health information.” What the government is looking for here are the two A’s: archive and accessibility. The PHI must be copied securely, and easily restored in the event of a disaster.

So what does it really take for a business to make sure its data backup is secure and HIPAA compliant?

  1. Data backup must occur offsite and replicated to at least one other location. In the event of a disaster, archives could be irretrievable or destroyed (and therefore useless).

  2. Data must always be encrypted to ANSI standards. Note: This is a common area of noncompliance for many small businesses. Many business owners are still using tape or disk-based backups that are unencrypted and can be easily moved or tampered with.

  3. The data that is backed up must be viewable at the “granular” level. That means individual messages, documents, and notes must be able to be pulled up easily (rather than just an incomplete synopsis of the records involved).

  4. The data must be recoverable. This is important. If there’s any loss to data, there must be a way to restore it, so that valuable information isn’t lost entirely.

  5. Any security safeguards normally in place must remain in place during a data recovery. (Because scrambling to restore lost data isn’t worth sacrificing its security.)

  6. There must be thorough documentation outlining your data backup plan and processes. HIPAA’s wording is vague here, but the expected outcome is clear: As a business owner, you must put a compliant data backup plan on paper and stick to it. Periodic testing of your plan of action is also required and should be clearly documented.

  7. You must include audits and reporting. Your data backups (including testing) must be easily traceable through a detailed audit trail, and reports on your backups should be generated regularly.

  8. Backups should be kept as long as needed—indefinitely is best, with hourly backups being consolidated into weekly, weekly into monthly, etc. That way, there’s no need to get rid of data that could someday be needed.

The eight points above aren’t steps I would advise a business owner to take on themselves - unless they have a dedicated security or compliance expert on staff. Rather, they are a guide to what you should be looking for in terms of a data and compliance solution for your business. The truth is, the advanced backup solutions on the market today do all the work for you, protecting your data and seamlessly applying compliance guidelines without affecting your day-to-day operations.

Ready to learn more? Check out C3’s guide on HIPAA Compliance in the Cloud with a Hosted Desktop Solution.

Download the free whitepaper - HIPAA Compliance in the Cloud

Topics: HIPAA

Comments