– Guest Post –
HIPAA compliance is mandatory for all companies working in the healthcare industry in the United States. The Health Insurance Portability and Accountability Act of 1996 was passed to protect sensitive patient health information from disclosure without the patient’s consent or knowledge. HIPAA standards are concerned with how companies handle protected health information (PHI) and electronically protected health information (ePHI).
Failure to comply with HIPAA guidelines can result in substantial financial penalties as well as harm to a business’s reputation that is hard to quantify and address. Fines are levied following a tiered structure based on the extent and severity of the punishable violation. The financial penalties can be recurring if the non-compliant issues are not addressed and resolved.
Two important provisions in the HIPAA standards address the critical nature of creating onsite and offsite backups and enabling in-scope systems to be recovered in the event of a catastrophic failure. The procedures to restore the computing environment from an unexpected outage are traditionally codified in a disaster recovery plan. The existence of such a disaster recovery and business continuity plan is also part of the HIPAA requirements with which companies need to comply.
HIPAA-Compliant Onsite and Offsite Backup Requirements
A reliable backup process is recommended for any type of business but is a necessity for covered entities (CE) and business associates (BA) operating in the healthcare field. Specific requirements must be followed by a business to ensure its backups are compliant with HIPAA regulations. In particular, two items need to be addressed. They are a company’s data backup plan and the backup data’s retention period.
These rules apply to individual companies and managed service providers (MSPs) contracted to furnish HIPAA-compliant systems and web hosting. These encompass technical, physical, and administrative safeguards that need to be in place for an organization or MSP to be HIPAA compliant.
The following technical safeguards must be implemented for backups to be considered HIPAA-compliant.
- Data encryption – All data stored on a HIPAA-compliant infrastructure needs to be encrypted using 256-bit AES encryption standard and accessed via a two-factor authentication mechanism. This includes backups, which should be encrypted when they are created.
- Data transfers – All data transmitted over a public network needs to be encrypted to protect it from unauthorized access. When creating backups over a network to a cloud provider, all traffic needs to be encrypted.
- Data redundancy – There needs to be at least two copies and preferably three of all data in scope for HIPAA compliance. Three copies provide the onsite production data, regular backups, and disaster recovery media. Ideally, one set of data should be stored offsite for use in a disaster recovery exercise.
- Data restoration – The MSP or covered entity must have the capability to restore data to its original or a different location.
- Backup monitoring – Monitoring with automated logging must be implemented to ensure backups are running successfully and alert support teams to issues that need to be resolved.
Physically protecting HIPAA data is mandatory and includes the following physical safeguards.
- Datacenter security – Data centers must be resilient and maintain a 24/7/365 manned security presence. Access to the data center must be limited to authorized individuals.
- Access controls – MSPs must enforce robust security measures to protect all hardware including workstations and mobile devices.
- User account control – User accounts and groups need to adhere to the principle of least privilege enabling only authorized users to access HIPAA data.
- Tamperproof logging – Automated logging that cannot be modified needs to be in place to create reliable audit trails.
The most important administrative safeguard is the implementation of the HIPAA-required data retention period of six years. The types of data that need to be retained include records related to the actions, activities, and assessments required by HIPAA. Medical records do not need to be retained in this way. The electronic documents that must be retained for six years include:
- Risk assessment and analysis;
- Disaster recovery and contingency plans;
- Business associate agreements;
- Incident and breach notification documentation;
- Physical security maintenance records.
These documents should be backed up using an encrypted backup solution and retained for at least six years. Fulfilling this requirement may necessitate segregating this data and backing it up using dedicated retention plans, but must be done to remain HIPAA-compliant.
HIPAA Requirements for Disaster Recovery Planning
Healthcare companies and business associates need to develop and implement viable contingency plans for use in the event of a disaster or other event that impacts their operations. The objective of these contingency plans is to ensure that an organization can recover critical IT components and systems that handle ePHI while maintaining normal business functionality.
The contingency plan has five major components.
Data backup plan
The data backup plan identifies all ePHI so it can be backed up using a HIPAA-compliant backup solution as described above. This needs to be an ongoing exercise to determine if new data is in scope.
Disaster recovery plan
A disaster recovery plan (DRP) is the set of processes and procedures that defines how a healthcare organization and any business associates responsible for its computing environment respond to a disaster scenario. It is made up of multiple parts that define the characteristics of a disaster and how to respond to it. Specifically, it defines:
- What constitutes a disaster;
- When to declare a disaster;
- How to initiate a disaster recovery;
- A roster of technical support resources required for the recovery;
- Contact information and role delegation for key personnel;
- Recovery time objectives and recovery point objectives for systems in scope to be recovered.
There can be multiple DRPs that address different parts of the organization or that can be used in cases where a more limited outage needs to be resolved.
Emergency mode operation plan
This plan defines how the business will continue operating during a disaster. The hardware and infrastructure used for recovery are required to be HIPAA-compliant. This plan also provides the steps that will be taken to restore operations with minimal impact on the business and customers.
Testing and revision procedures
While not mandatory, it is highly recommended that disaster recovery testing is performed regularly to ensure the process works as planned. Revisions should be made to the backup, disaster recovery, and emergency mode plans to address shortcomings identified during testing.
Analysis of critical data and applications
Covered entities should communicate with their MSPs regarding which critical systems and applications to restore first in the event of a disaster. This is not a HIPAA requirement, but is good practice and should be done periodically to identify new systems that may now be in scope for priority recovery.
Finding the Right MSP for a HIPAA-Compliant Infrastructure
A managed service provider needs to be able to demonstrate that they have all of the above features and functionality in place to furnish customers with a HIPAA-compliant infrastructure and a HIPAA-compliant hosting solution. Your provider should be able to quickly answer your questions about how they backup your data and control access to your systems.
Look for a provider that has obtained HIPAA compliance and has been HIPAA audited. It’s good to look for SOC 2 and SOC 3 certifications that prove the MSP has the proper protections in place for your ePHI. You also want to make sure your infrastructure is deployed in a privately hosted environment for HIPAA compliance. Your sensitive ePHI can be secure and protected with the right cloud provider.
Related article: Why Cloud Service Provider Compliance Is Critical to Your Business.