Patient privacy continues to be a topic of concern as technology continues to evolve. Now that the majority of patient information is transferred over to digital format, the healthcare IT industry realizes that it is exposed to certain risks. These risks include disaster that may cause physical damage to servers and/or computers that store patient information. Prior to the institution of the Health Insurance Portability and Accountability Act (“HIPAA”) by Congress in 1996, there were no universal standards set in place to identify whether a healthcare provider was properly securing patient information. HIPAA was designed to promote the confidentiality and portability of patient records, as well as to develop data security standards for consistency in the health care industry. Under this act, organizations adhere to HIPAA compliance standards related to protecting their systems and patients can feel confident that their personal medical information will remain private.
The HIPAA Security Final Rule, the last of the three HIPAA rules, was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most Covered Entities (CEs) had two full years – until April 21, 2005 – to comply with these standards. Many CEs, including providers, are still not in compliance. As a result, the 2009 HITECH Act has increased penalties for non-compliance with the HIPAA rule. And, the recent HIPAA Omnibus Final Rule has expanded the notification requirements and penalties that providers are liable for related to PHI (Personal Health Information) breaches and expanded HIPAA coverage so that it also applies to Business Associates (BAs) as well.
What is the Security Rule intended to protect
The Security Rule applies to protected patient health information in electronic formats. This is patient information that is transmitted by electronic media or maintained on electronic media. HIPAA compliance data storage rules are meant to:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the “Covered Entity” creates, receives, maintains, or transmits
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part
- Ensure HIPAA compliance with this subpart by its workforce
Here’s what the HIPAA Security Final Rule means to you as a CE:
- It’s not optional: All CEs, including medical practices, must securely back up “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)).
- Your data must be recoverable: Why else are you backing it up? You must be able to fully “restore any loss of data” (CFR 164.308(7)(ii) (B)).
- You must get your data offsite: As required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup and disaster recovery plan that stored backup copies of ePHI in the same location as the original data store?
- You must back up your data frequently: As required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). In today’s real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event if one had to recover from yesterday’s data backup.
- Safeguards must continue in recovery mode: The same set of security requirements that applies under normal business operations must also apply during emergency mode. CEs and BAs cannot let their guard down (CFR 164.308(7)(ii) (C)).
- Encrypt or Destroy: HITECH says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act). HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)). Many CEs and BAs fail in this area because tape- or disk-based backups are moved around freely, unencrypted.
- You must have written procedures related to your data backup and recovery plan: Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule.
- You must test your recovery: Backup is useless if your recovery fails, therefore the law requires that you “Implement procedures for periodic testing and revision of contingency plans.” (CFR 164.308(7)(ii) (D)). Unfortunately, testing tape-based or disk-based recovery can be time-consuming, so most companies rarely do it.
- Non-compliance penalties are severe: Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.
While many practices have been meeting these requirements with manual methods, security auditors will be more focused on discovering flaws in manual backup processes that put you at risk for protecting patient data and being able fully restore it you ever needed to. Now is the time to implement a more secure and foolproof solution. Consider MicroMD eBackUp.
How do cloud-based data backup solutions help your practice?
- Allows practices to help meet strict Meaningful Use Security Audit measures and HIPPA security requirements
- Ensures your practice can continue operations if there is a local disaster
- Frees up your administrative and IT staff from making, checking transporting and storing tape backups
How does MicroMD eBackUp do it?
- Provides AES 256-bit encryption for both in motion and at rest data
- Features NIST-approved FIPS 140-2 security certification
- Powered by Asigra with 1 million+ installations worldwide trusting the Asigra data backup platform
- Multi-location, redundant backup ensures data is recoverable
- Backs up all types of data, databases, applications and operating systems for devices across your entire LAN network
- MicroMD manages the setup, automated backup monitoring, issue notification and support
- Doesn’t impact day-to-day operations with slowdowns like other systems
The Asigra Difference
- 2014 Gartner Magic Quadrant for Enterprise Backup Software and Integrated Appliances; Asigra included for the 4th consecutive year
- Asigra has been named the top enterprise solution provider in Storage Magazines 9th annual TechTarget Quality Awards for backup and recovery software survey
Contact your MicroMD eSERVICES Representative to purchase or learn more