MOST entities that are required to comply with HIPAA are not because of a ton of confusion. After much research I have found a nutshell article that explains HIPAA compliance for data security. It codifies in US Federal Law what best practices have been for a long long time.
- It’s not optional – All CEs, including medical practices and BAs, must securely back up “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)).
- Your data must be recoverable – Why else are you backing it up? You must be able to fully “restore any loss of data” (CFR 164.308(7)(ii) (B)).
- You must get your data offsite – as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup and disaster recovery plan that stored backup copies of ePHI in the same location as the original data store?
- You must back up your data frequently – as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). In today’s real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event if one had to recover from yesterday’s data backup.
- Safeguards must continue in recovery mode – The same set of security requirements that applies under normal business operations must also apply during emergency mode. CEs and BAs cannot let their guard down (CFR 164.308(7)(ii) (C)).
- Encrypt or Destroy – HITECH says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act). HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)). Many CEs and BAs fail in this area because tape- or disk-based backups are moved around freely, unencrypted.
- You must have written procedures related to your data backup and recovery plan – Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule.
- You must test your recovery – Backup is useless if your recovery fails, therefore the law requires that you “Implement procedures for periodic testing and revision of contingency plans.” (CFR 164.308(7)(ii) (D)). Unfortunately, testing tape-based or disk-based recovery can be time-consuming, so most companies rarely do it.
- Non-compliance penalties are severe – Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.
- Now is the time to act – CEs have been subject to the HIPAA Security Final Rule since April 2005. BAs were statutorily obligated to comply by February 2010.
So if you are not complying with these regulations(if you are not sure then it is safe to assume you aren’t) you NEED to contact someone who knows not only the regulations but how to execute those regulations PROPERLY. I have extensive experience in helping small practitioners get compliant with the data security standard for HIPAA snd HITECH. Too many times the push back I get is I cannot afford the costs of the compliance. I can guarantee you for smaller businesses the government WILL make an example of you by shutting you down. I have seen it happen with my own eyes to a now former client of mine who refused to implement my reforms of her highly insecure data handling practices that led to an unauthorized data disclosure and a full law enforcement raid on her establishment. If you are not sure your network is properly locked down for the increasing costs of a HIPAA breach contact ETC Maryland for a full evaluation of your security posture in all areas.