Medical recovery solutions are classed as business partners under HIPAA. Here’s what that means for your data backup processes and responsibilities.
2020 has been a bad year for healthcare-related data breaches and medical data recovery solutions are not immune either.
In September 2020 alone, nearly 10 million patient records were breached, with 95 recorded breaches of 500 records or more. That’s just under 25% of 2019’s total according to Health IT Security, in just one month.
(Image source: hipaajournal.com)
With hacks appearing to be on the increase year-on-year (Health IT Security records saw a 49% increase in hacking activity from 2018 to 2019) and additional COVID-19 workloads creating potential stress points for many healthcare-related businesses, it’s never been more important for medical recovery solutions to think about how and where they back up sensitive patient information.
Ultimately, medical recovery solutions bear just as much responsibility for keeping patient data safe from a breach as healthcare providers themselves.
They are also responsible for ensuring their cloud storage providers are adhering to regulatory guidelines.
Below, we outline the responsibilities medical recovery solutions have for data protection under HIPAA, what this means for your data recovery and how this should influence your choice of cloud backup provider.
Medical Data Recovery Solutions and HIPAA: Where Do You Stand?
Anyone using, processing, sharing or storing patients’ protected health information (PHI) has certain obligations under HIPAA, even if they are not healthcare providers themselves.
Under HIPAA, the Department of Health splits organizations that work with PHI into two categories:
- Covered entities – organizations providing healthcare directly to patients
- Business partners – organizations who process or store PHI on behalf of covered entities
As medical recovery solutions process medical practice data to calculate how much revenue practices could be owed by insurance companies, they count as business partners under HIPAA.
What Does This Mean for How You Store and Recover Data?
As business partners, HIPAA requires medical recovery solutions to take the same precautions in storing PHI as covered entities do with regard to safeguarding PHI – and they’re equally as liable to regulatory fines in the event of negligence.
Safeguarding falls into the following areas:
- Technical safeguards (transmission security, access, integrity and audit controls, taking steps to encrypt data where appropriate)
- Physical safeguards (workstation and device protection, data facility access controls)
- Administrative safeguards (data access management, staff management and training, security management, regular assessment)
What Happens if Your Data Backup and Recovery Solutions Aren’t HIPAA-compliant?
If your data backup provider isn’t HIPAA-compliant or commits a HIPAA violation that leads to a breach of patient data or data loss, your medical recovery company could also be liable to regulatory action.
Depending on how serious a breach is, fines range from $100 per violation to $50,000 per violation, up to $1.5 million per year.
Needless to say, it could be a huge blow for your business financially if you’re found lacking in due diligence through a business partner breach.
(Image source: hipaajournal.com)
Choosing the Right Data Storage Partner Is Essential
Given that medical recovery solutions can be liable if their data backup providers are found to be in breach of HIPAA regulations, they need to be very stringent in choosing a partner for remote data backup and recovery.
Broadly speaking, there are two main types of data storage provider to consider:
- A generalist cloud backup provider like Amazon Web Services, which offers HIPAA-compliant data backup and recovery alongside other business services
- A specialist, HIPAA-certified cloud backup provider like CDS, that specializes in HIPAA-compliant data storage
When making a decision about which of these to choose, ask yourself, “Do we just want a provider, or do we want a partner?”
Whilst plenty of larger providers will provide the HIPAA storage you ask for, they might not provide the level of service you need to remain assured that your data is in safe hands.
Do you want to be able to pick up the phone as soon you’re worried about something, or have to progress a ticket through multiple levels of service operatives?
Do you want a simple, transactional relationship with your cloud backup provider, or would you prefer a more collaborative one?
It’s also worth noting that HIPAA compliance is absolutely central to specialist providers’ business proposition.
The business model is built around regulatory compliance, so it’s in specialists’ interests to keep absolutely up to date on HIPAA developments in a way that isn’t as pressing for more general providers.
Finding the Right Data Backup Partner is Essential
If you’re a medical recovery solutions provider and you’re looking for a top-of-the-range data backup partner, there are two key traits you should look for:
- Expert knowledge of both the cloud security landscape and HIPAA requirements for business partners
- Proven experience in the industry stretching back a number of years, with an exemplary track record in protecting peoples’ data.
At Central Data Storage, we’ve been working with healthcare companies to store data securely and remotely since 2008.
UnisonBDR is our specialist solution for highly regulated industries. As HIPAA-compliant cloud storage providers, we specialize in monitoring HIPAA developments and keeping on top of all the latest cloud storage and security technologies – all whilst offering a transparent, collaborative and supportive partnership to organizations who process PHI.
To keep your data secure, we offer:
- Expert-created disaster recovery processes
- Archiving
- Data storage services
- Advanced encryption and encrypted file sharing
- Secure data centers with top-level security and access controls