Here’s what you need to know about the explicit HIPAA requirements regarding the data backup and recovery of ePHI in the event of a data disaster.
Data backup and data recovery are essential for every HIPAA-compliant business out there. You know this already, of course – but what does it really mean in practice? What do you need to do and what do you need to look for in a data backup and recovery provider when it comes to HIPAA?
What Is HIPAA-Compliant Data Backup and Recovery?
To put it simply, the Health Insurance Portability and Accountability Act of 1996 and its subsequent amendments requires organizations – namely healthcare providers, plans and clearinghouses, known collectively as covered entities (CEs) – to protect the privacy and ensure the security of patient information.
The HIPAA Privacy Rule, in effect since 2003, covers all protected health information (PHI) and the Security Rule, also published in 2003, protects all electronic PHI, or ePHI. Since the majority of patient information is now recorded and stored in electronic or digital format, the HIPAA Security Rule is of particular concern when it comes to data backup and recovery.
A robust and workable HIPAA Compliant backup and recovery plan is part of the Security Rule, which applies not only to covered entities themselves, but their business associates (BAs) as well. A business associate is simply an organization that is not a member of a CE workforce yet has access to the ePHI of a covered entity.
Since cloud storage and data backup and recovery providers handle and have access to the ePHI a CE entrusts them with, these providers are classed as HIPAA business associates.
As such, BAs are equally obligated to comply with all relevant sections of the Privacy Rule, the Security Rule, as well as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), enacted in 2009.
Essentially, the HITECH Act clarifies and strengthens certain aspects of the HIPAA Privacy and Security Rules to remove loopholes and ensure business associates of HIPAA covered entities comply with HIPAA Rules through increased enforcement and higher penalties for non-compliance.
Importantly, CEs are required to ensure that any BAs who create, receive, maintain, or transmit PHI for which the covered entity itself is responsible, comply with the HIPAA Privacy and Security Rules, as well as HITECH.
This means that you must ensure that any data backup and recovery provider you work with can demonstrate their HITECH and HIPAA compliance in no uncertain terms.
Understanding HIPAA Data Backup and Recovery Requirements
HIPAA explicitly mandates specific requirements regarding the backing up of ePHI and ensuring its recoverability in the event of a data disaster, such as a cyberattack or other event that causes damage to computers or servers where ePHI is stored.
Let’s look at some of the exact wording from the legislation so we can understand fully what is required:
- Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain electronic protected health information.
- Data backup plan (required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
- HIPAA Disaster Recovery Requirements (A Disaster recovery plan is required). Establish (and implement as needed) procedures to restore any loss of data.
- Risk management (required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306 (a)(i.e. ensuring the “confidentiality, integrity and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”)
- Testing and revision procedures. Implement procedures for the periodic testing and revision of contingency plans.
- Transmission security. Implement technical security measures to guard against unauthorized access to electronic health information that is being transmitted over an electronic communications network.
- Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
From the paragraphs above, along with other parts of the HIPAA Security and Privacy Rules and the HITECH Act, we can understand a number of things about the data backup and recovery requirements placed on CEs and BAs.
First, implementing both a data backup plan and a disaster recovery plan is not optional. Retrievable exact copies of ePHI must be securely backed up to restore any loss of data in the event of a disaster.
Second, for adequate management of risk, these copies of ePHI must be frequently backed up to an offsite location. This is the only reasonable and appropriate way to ensure that should anything happen to the data at your office, you can quickly recover that data from its remote storage location.
Third, encryption is necessary as a technical security measure to protect ePHI that is being transmitted.
In addition, the HITECH Act stipulates that organizations must “decrypt or destroy” data at rest as well.
UnisonBDR for Compliant Data Backup and Recovery
In order to meet the rigorous requirements of HIPAA and HITECH, HIPAA covered entities must seek a HIPAA-compliant data backup and recovery provider to implement the necessary safeguards – that is, incorporate the necessary technology, tools, policies, encryption, procedures and controls – in order to protect ePHI at all times.
Central Data Storage is that provider. In UnisonBDR, we offer a fully supported, encrypted, cloud-based and HIPAA-compliant data backup and recovery solution designed specifically for HIPAA covered entities.
Our 448-bit end-to-end encryption exceeds military grade standards to ensure your ePHI is continuously protected from all threats, both en-route to and at rest, in our secure private cloud.
Backups are performed frequently and are automated, meaning you never have to worry about forgetting to carry them out.
In addition, with unlimited storage capacity, dual authentication and ransomware recovery, UnisonBDR ensures that your data is always safe, fully protected and recoverable no matter what.
Central Data Storage exists to help businesses remain HIPAA-compliant and survive all data disasters. We are here to support you with advice and guidance in these difficult times.