In the healthcare industry, storing ePHI while remaining HIPAA compliant can be a tricky task. While some covered entities may opt for storing their ePHI onsite, many others rely on cloud backup servers from 3rd-party providers to safeguard their ePHI. When you choose to go with cloud backup, it’s critical to ensure that the service complies with HIPAA regulations.
HIPAA Security Rule covers 3 types of safeguards required for compliance: administrative, physical and technical. For each safeguard, HIPAA defines different security standards. For each standard, HIPAA covers both “required” and “addressable” specifications.
Required items must be followed as directed by HIPAA rules. Addressable items allow individual covered entities and business associates to analyze their situation and determine the best way to execute the specifications.
Below we have outlined the HIPAA requirements regarding backup and recovery.
Administrative Safeguards
These safeguards enable covered entities to respond to an emergency that threatens the integrity or availability of ePHI.
- Data Backup Plan (Required): You must develop an actionable plan for backing up all ePHI.
- Disaster Recovery Plan (Required): You must develop a set of procedures to ensure the protection of ePHI in the event of a disaster.
- Testing and Revision Procedures (Addressable): You must engage in periodic testing and revision of the Disaster Recovery Plan.
- Applications and Data Criticality Analysis (Addressable): You must determine how important each data application that stores, maintains or transmits ePHI is to patient care of business needs. Prioritize these applications for data backup, disaster recovery and/or emergency operations plans.
Physical Safeguards
HIPAA Security Rule defines physical safeguards as “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.”
- Contingency Operations (Addressable): You must establish and implement procedures that allow facility access for restoration of lost data in the event of an emergency.
- Facility Security Plan (Addressable): You must implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft.
- Data Backup and Storage (Addressable): You must create retrievable, exact copies of ePHI before moving equipment that contains ePHI.
Technical Safeguards
These safeguards ensure access is only allowed to authorized users and software.
- Encryption and Decryption (Addressable): You must implement a mechanism to encrypt and decrypt ePHI to protect it from unauthorized access.
- Integrity Controls (Addressable): You must ensure that ePHI is not improperly modified during transmission.
- Transmission Encryption (Addressable): You must encrypt ePHI when it is being transmitted.
MAXtech Can Help You
Don’t let poorly implemented cloud backups put your patients’ health information at risk. MAXtech specializes in helping healthcare professionals remain HIPAA compliant. Schedule a free HIPAA assessment with us to see how we can help you.