Regular data backups are an integral part of any healthcare operation. As the saying goes, hope for the best but prepare for the worst, holds true in this industry. Hopefully, nothing will happen to the devices on which your healthcare practice's data is stored. But if it does, having a backup copy will provide you with the peace of mind knowing that all is not lost.
Of course, there are nuances to backing up data associated with the Health Insurance Portability and Accountability Act (HIPAA). Originally signed into law back in 1996, HIPAA is designed to protect healthcare patients and health insurance customers from having their data accessed by unauthorized individuals. You can read through our previous blog posts for more information on HIPAA, but it basically consists of several Rules – Security, Privacy and Administrative – that outline measures required measures and practices for covered entities.
While there are dozens of different ways to backup your practice's data, they all fall under one of two categories: local or remote. Creating local backups tends to be more secure, but at the same time there's an increased risk of damage to the backup if the facility is ever damaged (e.g. fire, flood, theft, etc.). Creating remote backups, on the other hand, will offer greater protection from damage such as this, but it will also increase the risk of unauthorized access.
So, how should you create a backup for your healthcare practice? The Health and Human Services (HHS) doesn't have a specific formula for creating data backups. They do, however, have a few specific guidelines that covered entities must follow:
- All data must be backed up both on-site and off-site.
- If encrypted, it must use ANSI standard.
- Data backups must have an audit trails for reporting.
- All data backups must adhered to standard data sets.
Furthermore, if your healthcare practice outsources the creation or maintenance of data backups, you must create a business associates agreement with the company handling your backups. Because the company has access to Protected Health Information (PHI), they are viewed as business associated in the eyes of the HHS. This means covered entities should create an agreement that describes how the company will use and handle the PHI.