September 23: HIPAA Rules Kick in, Impacting Your Backup and Disaster Recovery Planning

By Jay Atkinson
AIS Network CEO

If you’re a company in the health care industry, you have just 47 days to get your act together on planning for IT disaster recovery.

That’s right. Beginning Sept. 23, the HIPAA/HITECH rules governing protected health information (PHI) secure data backup and recovery will be enforced, and some businesses will face increased exposure to penalties.

What does this mean? It means that the HIPAA privacy and security regulations are changing in ways that impact every health care industry entity, including providers, clearinghouses, insurers, health plans, eprescription networks, business associates, and other various industry entities.

If you’re among these organizations, you’ll need to review your HIPAA compliance, policies and procedures to see if you are prepared to meet the new finalized requirements in the HIPAA rules for Privacy and Security of Protected Health Information.

These include:

  • more stringent requirements that covered entities have data backup and IT disaster recovery specifications
  • more rules on data encryption (that’s another blog entirely)
  • important changes to patient privacy and security rights
  • modifications of marketing and fundraising rules
  • a change in how PHI breaches are determined
  • increased enforcement efforts

So why the rush?

More businesses will face direct liability for violations and the penalties are substantial.

The enforcement rules have toughened up considerably. The new HIPAA four-tier violation schedule has increased minimum and maximum fines. If you are found to be in willful neglect of compliance, mandatory fines begin at $10,000. Violations that are not corrected promptly are subject to mandatory minimum fines starting at $50,000 and capping at $1.5 million.

With the newly revised audit program set for relaunch in Q4, time is running out to review your HIPAA compliance and get busy on meeting the new disaster recovery requirements.

Why is disaster recovery so important?

All electronic PHI must be protected by a backup/disaster recovery plan. Or else.

If a storm like last year’s Hurricane Sandy hit your area tomorrow, how much ePHI would your practice or business lose? How would you get it back? In the past, backup and recovery processes were typically performed using tapes. But like VHS tapes, those days are gone. Virtualization technologies are providing more comprehensive protection — and faster recovery rates — far more cost effectively than ever before.

Although not new to HIPAA under HITECH, the HIPAA security rule does require all EPHI to be subject to a backup/disaster recovery plan. Think of all the EPHI that was lost when Katrina struck; what would be the effect on your practice if a disaster occurred? How would you recover? In the past, tape backup was often used. However newer technologies and techniques are now available that are more cost effective and provide better outcomes.
At first glance, all of this would appear to be a tall order to implement for any private practice. In reality, these types of security and privacy measures are commonly implemented for small businesses. Consult your IT support vendor on how to proceed. Also remember that these measures do not insure HIPAA compliance for your practice; rather they are a component of your overall HIPAA plan.

– See more at: http://www.capturebilling.com/hipaa-privacy-and-security-changes-in-the-hitech-act/#sthash.0ESkQD9x.dpuf

Although not new to HIPAA under HITECH, the HIPAA security rule does require all EPHI to be subject to a backup/disaster recovery plan. Think of all the EPHI that was lost when Katrina struck; what would be the effect on your practice if a disaster occurred? How would you recover? In the past, tape backup was often used. However newer technologies and techniques are now available that are more cost effective and provide better outcomes.
At first glance, all of this would appear to be a tall order to implement for any private practice. In reality, these types of security and privacy measures are commonly implemented for small businesses. Consult your IT support vendor on how to proceed. Also remember that these measures do not insure HIPAA compliance for your practice; rather they are a component of your overall HIPAA plan.

– See more at: http://www.capturebilling.com/hipaa-privacy-and-security-changes-in-the-hitech-act/#sthash.0ESkQD9x.dpuf

I Don’t Have a Disaster Recovery Plan. What Do I Do?

If you haven’t yet planned for a worst case scenario, act now to establish the critical processes and develop a clear understanding of how the cloud can help.

First, check out the HIPAA/HITECH Section 164.308 Administrative Safeguards language pertaining to data backup and disaster recovery, specifically part 7:

(7) (i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

(ii) Implementation specifications:

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.

Next, here are some steps that you can take to get started:

1) Identify risks. List and categorize threats associated with natural and man-made disasters and their impact on various systems.

2) Inventory IT assets. Which are most critical to maintaining business continuity? What’s your tolerance for loss of those assets? The cost of the response should be balanced against your tolerance for system downtime.

3) Define your goals. When disaster strikes, can your business close? Or, does it need to recover somewhere else? Define goals in terms of RPO (Recovery Point Objective, “How much data can we lose?”) and RTO (Recovery Time Objective, “How long can we be down?”).

4) Develop a plan. Include “IT Assets Inventory,” data protection procedures and contingency plans, notification/activation schedules, a list of roles and responsibilities, a list of resource requirements and details about training provisions. A good plan includes maintenance and backup/recovery testing schedules (all delivered

5) Understand the cloud’s benefits. Virtualization technolgies make backup and disaster recovery vastly faster, cheaper and easier. For HIPAA-focused health care clients, we recommend deploying backup and disaster recovery solutions within a fully managed, high security private cloud.

6) Implement the plan. If executives understand the consequences of system disruptions, you can win their support and funding for contingency policies.

7) Test the plan. Testing and keeping plans updated will help ensure business survival.

Are you ready now? If not, contact us and we can help you get on track.

Choosing the right HIPAA-compliant backup and disaster recovery solution, deployed in a high security private cloud infrastructure, will help you protect your company’s PHI and avoid penalties for noncompliance.*

With the burden of compliance eased, you can turn your focus back to providing great patient care.

* Remember, these measures do not ensure HIPAA compliance. Rather, they are simply a component of your overall HIPAA compliance plan.