How to choose a HIPAA-compliant data backup service

It seems like you need to choose so many things these days – meaningful use-certified EHRs, a capable practice management system, and even what computers you want your practice using.

Now, most of us associate data backup with a hard drive, or maybe even some flash external storage. But remember, you’re dealing with sensitive personal health information, and you want to be sure you don’t lose your data in the event of an emergency.

Perhaps it’s time to turn to a data backup service, since HIPAA deemed secure data backup not optional. See below for some assistance.

Requirements for HIPAA-compliant backup providers

It’s time to be a little blunt. Many will read and not fully understand HIPAA. But a genuine attempt at cracking the code doesn’t excuse you from not complying. Plus, when put simply, the requirements aren’t half bad.

As far as data backups are concerned, there are three required elements, or safeguards, under HIPAA that are necessary for a compliant backup provider.

It is important to note that even if you go into recovery mode, it is required that these safeguards hold up.

First are the technical requirements, including a minimum of 128-bit encryption, deletion and destruction of data, which can be done according to the Department of Defense’s standards, set forth in the National Industrial Security Program Operating Manual. And if you don’t encrypt data at rest, then it must be destroyed.

Second are the physical requirements, or issues related to physical infrastructure such as locks and secure access areas. The Physical Safeguards in the HIPAA Security Rule include standards for facility access controls, workstation use and security, and device and media controls.

Third, a number of administrative requirements must be observed in order to meet HIPAA compliance. The standards cited in the Security Rule include a provider’s security management process, assigned security responsibilities, workforce security, information access management, security awareness training and contingency planning.

The U.S. Department of Health & Human Services provides a Security Series, which provides a more in-depth understanding of the three safeguards. Tread carefully before choosing a service.

Backup and recovery best practices

After you have a more comprehensive understanding of the HIPAA Security Rule, it’s time you become aware of the kinds of responsible practices necessary in a compliant vendor.

It’s time to look at backup service providers. The key to backup and recovery is to ensure data can be restored for six years beyond any last edits. There are three key factors that help ensure HIPAA compliance here: the data backup plan, a disaster recovery plan and an emergency mode operations plan.

The three plans conjoined guarantee a backup provider has the policies, procedures and capabilities in place to restore information in its storage infrastructure, meaning you won’t be out of luck in case of an emergency.

How your backup service provider can help you
It’s not just about going with a HIPAA-compliant service provider, but it’s also important that your practice understands how backup services will aid your practice in staying compliant yourself.

Suppose you were hit by Hurricane Sandy – lights out, computer systems not accessible. Documentation files gone – and you know that won’t go well with HIPAA. So, you opt for a data backup service.

Advantages to using a data backup service are numerous. For one, your data is stored offsite, which lets you breathe easy in case of blackouts and malware. Furthermore, automatic data backup is a relief, seeing as you don’t have to worry about having to back up data periodically on site.

Not to mention, these services normally boast multiple file versioning, so multiple versions of specific documents and files are kept offsite. Backup of servers is done overnight, and your data is encrypted, a Security Rule requirement a number of practices struggle with.

What has been your experience in a search for a data backup service?

Ahmed Mori is a content writer for CareCloud specializing in meaningful use certification, EHRs and mHealth. He enjoys researching and reporting on innovative healthcare technologies. Read his work on PowerYourPractice and the CareCloud blog.