HIPAA Rules on Data Back Up and Disaster Recovery Plan
_{April 16, 2018}

Patient privacy continues to be one of the most talked about topics in the Healthcare Industry as technology continues to evolve. Majority of patient information is transferred over to electronic format, the healthcare IT industry realizes that it is exposed to certain risks. These risks include disaster that may cause physical damage to servers and/or computers that store patient information. It is but a best practice for an organization to evaluate their system and then implement a secure backup, archiving, and recovery solution to comply with HIPAA standards.  Covered Entities must ensure they have a well-defined contingency plan that ensures that patient data is still available after a primary data loss. In a nutshell, information security is about ensuring three attributes of information or data: confidentiality, integrity, and availability.

The HIPAA Security Final Rule, the last of the three HIPAA rules, was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most Covered Entities (CEs) had two full years – until April 21, 2005 – to comply with these standards. Many CEs, including providers, are still not in compliance. As a result, the 2009 HITECH Act has increased penalties for non-compliance with the HIPAA rule. And, the recent HIPAA Omnibus Final Rule has expanded the notification requirements and penalties that providers are liable for related to PHI (Personal Health Information) breaches and expanded HIPAA coverage so that it also applies to Business Associates (BAs) as well.

So here are some notable points you must consider and remember:

1. Data Back Up is NOT OPTIONAL. All Covered Entities (CE) as well as medical practices and Business Associates must comply with this and ensure that they securely back up “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii)(A)).
2. The DATA you are securing and backing up must all be RECOVERABLE. You must be able to fully “restore any loss data” (CFR 164.308(7)(ii) (B))
3. STORE BACKUP COPIES OF ePHI OFF SITEe. different from the original data storage. (CFR 164.308(a)(1)). This way, your data exists in two physical locations. If anything happens to the data at your office, you can quickly recover your data from its remote storage.
4. Ensure FREQUENT BACK UP of your data is done. This is required by HIPAA Security Final Rule (CFR 164.308(a)(1)).  Regular backups are the first step in enhancing Disaster Recovery and Business Continuity (HIPAA Security Rule 164.308(a)(7)(i)).
5. Similar set of Security requirements that are applied under normal business operations must also be applied during EMERGENCY MODE. (CFR 164.308(7)(ii) (C)).
6. HITECH says to ENCRYPT OR DESTROY DATA AT REST TO SECURE IT (Section 13402(h) of Title XIII HITECH Act). To note, data at rest means an inactive data that is stored physically in any digital form (e.g. databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices etc.). Also, HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)) known as Transmission Security.
7. Data Backup and Recovery plans must have WRITTEN PROCEDURES. Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule.
8. TEST your Recovery plan. No matter how carefully crafted it is, a Disaster Recovery plan has no value if it doesn’t work when needed or if only a subset of the protected data can be recovered and recreated. Thus, law requires that you “Implement procedures for periodic testing and revision of contingency plans.” (CFR 164.308(7)(ii) (D)).
9. Non-compliance penalties are severe – Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.

It is important you don’t neglect your disaster recovery and business continuity plans. Ensuring you have a data backup and emergency plan for your most critical infrastructure and data will help keep your organization’s operations running smoothly should the unexpected happen. If you’re ready to put together your own contingency plan, or want to check your current plan against HHS recommendations, HIPAA Guard can help and provide Disaster Recovery Consulting Services that you most needed!