If you run a small medical practice, I have one question for you.
Are you backing up your data as often as you need to (and are you sure it’s working)?
Not only is backing up your data required by law by HIPAA, it’s a best practice that prepares you against a number of small disasters that could halt your operations immediately. Without proper backups, inevitable events such as computer or hard drive failures, power outages, or Internet outages mean you won’t be able to access patient files, test data, or even use your email.
HIPAA requires that all PHI (protected health information) be secure and immediately retrievable at all times. PHI is any “individually identifiable health information.” This includes any information about health status, or the provision or payment of health care, that can be linked to a specific individual, such as any part of a patient’s medical record or payment history. HIPAA describes it data backup requirement as “retrievable exact copies” of electronic PHI. To ensure your data backups are HIPAA compliant, read our post on “8 Things Your Data Backup Needs to be HIPAA Compliant.”
What You Should Be Backing Up
First and foremost, this means that your EMR data needs to be regularly backed up. Most EMR software include this as a feature, so you are likely doing it already. However, anything else that includes patient data also needs to be backed up, such as electronic check-in/check-out forms, prescriptions, and emails discussing a patient.
In addition to patient data, it’s a good idea to back up everything your practice uses on a regular basis, such as templates for intake and check out forms. Generally, you also want to back up all of your email, whether or not it contains patient PHI. While losing access to these may be more of an inconvenience than a show stopper, there’s no reason not to copy and archive them as well.
How You Should Be Backing Up
You should be using modern, image-based backups and not just file backups (or old school tape backups that need to be replaced every night). File-based backups means that individual files are backed up, but that’s all. In the event of a crash, your programs would need to be reinstalled. While you could restore your Word documents, for example, you’d have to reinstall Word before you can open them (same with any other application).
Image-based backups, essentially take a snapshot taken of the entire computer. When restoring from an image-based backup, programs like your EMR, Outlook, and Word do not need to be reinstalled. The image backup enables us to restore the whole server (programs, files, settings and all) to the state it was at the time the backup was taken. Or, if you only need to restore certain files from a backup, you can do that too. Image-based backups have become so efficient, that if you’re looking to restore a file from 8am yesterday morning and accidentally deleted or corrupted, you can get it back in less than 2 minutes.
A final important consideration: HIPAA requires both on and off-site backups (which we’d argue is best practice anyway). Without a local backup, if lose connection to the internet and all of your data is only hosted in the cloud, you’d lose access to all of those files.
Why You Should Be Backing Up
Aside from protecting PHI, backups protect against common accidents. As most people know, data loss is just a part of digital life.
Computers get viruses. It’s unavoidable in some sense. It could be as simple as a piece of malware that adds a bit of code to all of your files and corrupts them to render them unreadable. In such a case, there is literally no solution to “fix” the current files, you have to replace them with an uncorrupted, backed up version.
Accidental file (or folder) deletion is more common than anyone would like to admit. We frequently handle situations where files are accidentally deleted or lost when a program crashes mid-use. Whatever the cause, when accidents happen, backups ensure your data is safe and accessible.
How Often Should You Perform Back Ups?
The best practice is to run hourly backups. If your practice is not generating a massive quantity of data that can’t be compressed (which would be slow to upload and make anything running on your internet a bit slower), there’s no excuse not to.
At a bare minimum, you need to have daily backups. However, daily backups are not ideal. Imagine your physician is spending three hours with a patient running some tests and inputting their info into your EMR software. Then, later that afternoon, your internet connection is lost or a file gets corrupted. Since that information would not have been backed up yet, you will have lost all that info and hours’ worth of work.
To summarize: back up anything required by HIPAA and anything that would make your physicians’/nurses’/admins’ lives more difficult if they lost access for a day, back it up hourly, and back it up both on the cloud and on-site.
Learn More
To learn more about meeting HIPAA compliance and how hosted desktops can be a great solution for small medical practices, download our whitepaper on HIPAA Compliance in the Cloud with a Hosted Desktop Solution.
