As we leave (most of) the ice and snow behind us and enter the season of thunderstorms and flash floods, every practice must ask themselves if they are disaster proof. Whether the disaster is severe weather such as lightning storms and flooding, a fire, or man-made problems like loss or theft of equipment, the recovery aspect is much the same. For medical practices covered by HIPAA, it is also mandatory.
HIPAA regulates that all covered entities must securely back up “retrievable exact copies of electronic protected health information” and must be able to fully “restore any loss of data.” This backup must happen frequently, though there is some adjusting for size here. It would be unreasonable to expect all practices to fully back up all data on a minute-by-minute basis, however, data should be backed up at least every business day. Importantly, data must be recoverable. How do you ensure that? Test the backups! Data should be fully restored from backups periodically to make sure the entire process is working as it should. Simply checking that a backup has happened is not enough, as this does not prove that the backup is functioning properly or that the recovery process is working.
Having your data backed up is only half the battle. HIPAA rules also mandate having policies and procedures in writing (and probably backed up!) that detail your contingency plans. These policies will not only detail how and when data is backed up but also what steps your practice will take to recover after an event. This Disaster Recovery Plan should be useful to reference any time data is lost due to power surges, destruction, theft, or malicious activity.
Healthcare Technology Advisors offers HIPAA compliant backup solutions to all our clients, and Disaster Recovery Plans as part of our compliance service for Covered Entities and Business Associates. Call us or visit our service page to learn more.