Back to Blog

How to Find a HIPAA Compliant Data Backup Service

How to Find a HIPAA Compliant Data Backup Service
18 August 2015

Nowadays you must make prudent decisions while purchasing a practice management system, a user-friendly EHR, and while choosing the type of computer the practice staff will use. It is common for us to think of data backup in terms of a hard drive, external storage or cloud backup.

But it is important to note that you are dealing with sensitive personal health data, and you should ensure that the data is not lost in case of an emergency. Since HIPAA compliant data backup is mandatory, it is a good idea to hire a cloud data backup service. 

First of all make sure the Data Backup Service Vendor is HIPAA compliant, which means they comply with HIPAA Security Rules. These rules require the vendor to have in place four safeguards.  

As per the Office of the National Coordinator for ONC (Health Information Technology) these safeguards help the medical practice to prevent some of the common security gaps which could lead to data loss and cyber-attack.

The four safeguards are detailed as follows: 

  1. Physical Safeguards – These safeguards deal with infrastructure factors such as secure access areas, locks and protection against unauthorized entry into the ePHI (electronic protected health information) systems. It also provides security for the building that stores the information from environmental or natural hazards. Make sure your vendor has policies, procedures and technology to control access to ePHI.  

A cloud-based backup service is an excellent option here as it negates the need for physical safeguards. 

  1. Administrative Safeguards – The policies, actions and procedures of administrative safeguards assist in the detection and prevention of security violations associated with any ePHI. These safeguards conduct security risk analysis and take action to decrease identified risks.  
  1. Organizational Standards – The vendor must be a “covered entity” with contracts or arrangement with other business associates that can access the ePHI when needed.  
  1. Policies and Procedures – The vendor must maintain security policies and procedures in writing for at least six years (from the date of creation or the last effective date, whichever is later). The written policies and procedures must be reviewed and updated from time to time, as per the organizational or environmental changes that might impact the security of ePHI. This is mandated in the Office of the National Coordinator’s Guide to Privacy and Security of Electronic Health Information dated April 2015. You should also be aware that the U.S. Department of Health and Human Services made use of HITECH (Health Information Technology for Economic and Clinical Health Act) to support the HIPAA privacy and security rules, in 2013. 

Best Practices for Data Backup and Recovery 

The data backup service should have a data backup plan, plan for emergency-mode operation and a disaster recovery plan to comply with HIPAA.

The combination of these three plans would reassure the capabilities, policies and procedures of the provider to restore health information if an emergency occurs. This will give peace of mind to the medical practice and result in uninterrupted work. 

How a Backup Service Provider can offer more help 

A good HIPAA compliant backup service vendor can offer additional benefits such as offsite data storage in case of power blackout, natural disaster or malware attack. The use of automatic data backup leaves you with no worries about backing up data periodically at your office. Several vendors also provide cloud-based data systems to store different versions of files at different locations to provide additional protection in physical form and this is known as ‘data redundancy’.