The Health Insurance Portability and Accountability Act (HIPAA) applies to any healthcare provider, health plan, and clearing house that electronically maintains or transmits health information pertaining to individuals. HIPAA was designed to promote healthcare standards for patient confidentiality, provide an incentive for electronic communications, create consist industry standards and the reduce administrative costs of healthcare.
The Standards for the Security of Electronic Protected Health Information (the “Security Rule”) went into effect in April of 2006. The Security Rule requires health care providers, health plans and clearing houses to have data security standards in place.
The Security Rule and Data Backup
Many of the Security Rule’s standards apply to the backup of data. Health care providers, health plans and clearing houses must have a contingency plan that will:
“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”
This contingency plan must include a data backup plan, a disaster recovery plan, and emergency mode operation plan. They must also have certain physical safeguards, such as facility access controls. The Security rule is further detailed through 18 technical standards and 36 implementation specifications not covered in this document.
Technical Safeguards Required
Healthcare providers, health plans and clearing houses must also implement the following technical safeguards: Encrypt and decrypt electronic protected health information, limit access to electronic protected health information, put audit controls in place that record and examine activity in information systems that contain electronic protected health information, and implement technical security measures to guard against unauthorized access to electronic protected information that’s being transmitted over an electronic communications network.
Backup and HIPAA Compliance
Ensure your backup vendor encrypts backup images during transit to its off-site data centers and data cannot be read from there without an encryption key. It is the responsibility of the end user/partner to encrypt the source data to meet their specific HIPAA compliant regulations.
It's generally advised to use Advanced Encryption Standard (AES) encryption technology. AES encryption was developed by the U.S. National Institute of Standards and Technology (NIST) and is now the state-of-the-art standard encryption technique for both commercial and government applications. AES is the best choice for protecting electronic protected health information (ePHI) because of its encryption algorithm, its strength and its speed.
To meet the Security’s Rule’s transmission requirements, each image queued to be replicated offsite is sent over the Internet via a secure channel using AES 256 encryption and Secure Sockets Layer SSL technology.
Archiving and Restoring
It is generally advised that you incorporate a backup solution that archives your data, or at minimum mirrors your data in their data centers. For solutions that are mirrored in their data centers, generally when data is deleted on the local BDR device, the data is deleted in the cloud as well. It is important to confirm that with the vendor.
All data is stored on the physical server, laptop, desktop, etc., advised to also be stored on the local BDR device, and then also in vendors’s data centers. This creates a true redundancy. This redundancy provides IT Service Providers and end-users alike with the comfort of knowing they have a solution that offers them complete business continuity.