HIPAA Compliance for Medical Practices
82.5K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Data Backup Plan and Disaster Recovery Plan

HIPAA Data Backup Plan and Disaster Recovery Plan | HIPAA Compliance for Medical Practices | Scoop.it

The requirements of a HIPAA data backup plan and disaster recovery plans are discussed below.

What are the Requirements of a HIPAA Data Backup Plan?

A HIPAA data backup plan is a component of the administrative safeguards that must be implemented under the HIPAA Security Rule.

 

The data backup plan, which is part of the administrative safeguard requirement to have a contingency plan, consists of establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI).

 

Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.

 

Data that is secured and backed up must be capable of being recovered (i.e., must be recoverable or retrievable).

 

The requirement that data be capable of being recovered comes from a related provision of the contingency plan requirement – the disaster recovery plan requirement.

 

Under a disaster recovery plan, a covered entity or business associate establishes (and implements as needed) procedures to restore any loss of data.

What Should I Consider When Developing a HIPAA Data Backup Plan?

When developing a HIPAA data backup plan, covered entities and business associates should consider the nature of the ePHI that must be backed up, including how many identifiers the ePHI has. 

 

The HIPAA Security Officer should make an inventory of all sources of data, to determine the nature and type of ePHI an organization stores.

 

There are many potential sources of ePHI. These include, among others, patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, and any other electronic documents created or used.

Where Should I Store Backup Copies of Data?

There are two types of backup storage organizations should use:

 

Backup #1 (Local Storage Backup): The first kind of backup (Backup #1) you should use is backup through a local, onsite appliance. In this kind of data backup, backup data is stored on a local storage device (appliance), such as a hard disc, CD, or hard drive.

Backup #2 (Offsite Backup): The second kind of backup is offsite backup. Offsite backup consists of either backing up data to the cloud, or storing backup data at an offsite facility. Storing backup data with a HIPAA compliant cloud provider allows an organization to easily retrieve information from the cloud.

 

With cloud storage, backup data can be retrieved at any time. Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

What is the Difference Between a HIPAA Data Backup Plan and a Disaster Recovery Plan?

The difference between backups and disaster recovery is a matter of scope. Backing up data refers to backing up actual copies of data.

 

A backup plan does not take disaster response into account. A disaster recovery (DR) plan, in contrast, is a strategy for disaster event response, which response includes deployment of the backups – in other words, putting the backups into action.

What Steps Does the Disaster Planning Process Consist of?

There are four essential steps to complete in the disaster recovery planning process. These are discussed in turn.

 

Step 1: Performing a Business Impact Analysis (BIA)

 

A business impact analysis (BIA) is a thorough assessment and inventorying of an organization’s virtual environment.

 

In this process, the organization must take into account the volume and type of data that is being managed; where the data is being stored; how much in terms of resources and time must be expended to restore access to different types of data; and how critical each type of data is to business operations.

 

The more vital the data is to the business’s ability to function, the higher that data’s priority of restoration, and resource allocation, should be.

 

Step 2: Performing a Risk Assessment

 

Conducting a risk assessment consists of running and evaluating hypothetical external situations that can hurt your business. External situations that can damage your business include natural disasters, such as hurricanes and blizzards.

 

External situations also include man-made events, such as active shooter situations and acts of terror. 

 

When conducting the risk assessment, an organization should consider all potential external incident types, and the likelihood of their occurrence.

 

The organization should also consider the nature and severity of the impact each incident may have on the organization’s ability to continue normal operations.

 

It is necessary to consider all the possible incident types, as well as the impact each may have on the organization’s ability to continue to deliver its normal business services.

 

In preparing the risk assessment, organizations should review all records and sources of information at their disposal to assess the threat posed by each instance. Records and sources of information can include, for example:

  • Employee recollection of prior disruptive events and how they affected business operations;
  • First-responder organizations advice; and
  • Disaster recovery resource libraries from government agencies, such as the Federal Emergency Management Agency (FEMA).

 

Step 3: Create a Risk Management Strategy

 

Once you have identified data processes and the business impacts of disruptions to them, combined with likelihood of a given disaster taking place, you should develop a risk mitigation strategy. This strategy should provide for specific backup solutions and disaster recovery procedures for critical data.

 

Factors to consider in developing a strategy (among others) include legal factors (laws may restrict where data can be stored); recovery point objectives (RPOs), which measure how much data an organization can afford to lose as the result of a disaster; and recovery time objectives (RTOs), which are metrics that calculate how quickly an organization needs to recover IT services and infrastructure after a disaster to maintain business continuity. 

 

Step 4: Configure and Run Testing Exercises on Your Disaster Recovery Plan

 

Once the risk management strategy is in place, you must engage in testing scenarios to ensure that strategy is properly configured. Testing exercises can differ in complexity.

 

The goal of any testing exercise is to ensure that data has been backed up in accordance with your recovery point objectives, and to ensure that the strategy actually works.

 

Once testing has confirmed that the risk management strategy is sound, the strategy is “ready to use.” Bear in mind, however, that testing should not be conducted only before strategy rollout.

 

Testing should be performed continuously – especially after an incident occurs. This way, you can refine and make changes to the strategy you deploy.

 

Data backup plans and disaster recovery plans are required under the HIPAA Security Rule. Implementing robust backup and disaster recovery plans can help keep your business running smoothly and securely. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 10:44 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

HIPAA Willful Neglect Can Cause Bankruptcy

HIPAA Willful Neglect Can Cause Bankruptcy | HIPAA Compliance for Medical Practices | Scoop.it

You totally meant to get HIPAA compliant but it looked kind of hard and maybe too expensive so you put it off.  Or maybe you just thought that no one would ever notice that you weren't HIPAA compliant.  Then something happened; a patient complaint, a competitor files a complaint with HHS, a breach happens at one of your BAs, an ex employee files a complaint or you get picked for an audit.

It could start benignly with a request for certain documentation such as your risk assessment or copies of your security and privacy policies.  If you can't produce these documents then you are already in willful neglect.  But what if these documents are out of date or you claim that you have oral policies?  Willful neglect.  What if you did staff training but didn't document it?  Willful neglect.  

So, as you can see there are a lot of potentially dangerous scenarios.  What is the definition of willful neglect? Willful neglect is defined as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 CFR 160.401. Section 13410(a) of the HITECH Act [123 STAT.

But what are the consequences of being found in willful neglect?  The answer is huge fines, action plans for maintaining compliance, bad public relations,  monitors, etc. etc.  The total cost of a breach has been calculated at $355 per patient record.  Recently there was a $450,000 penalty for the loss of 388 patient records.

Clearly, penalties for willful neglect would cause many companies to at least consider bankruptcy.  The way to avoid these draconian penalties is simple, do something.  Get some on-line security awareness training for your staff.  This costs as little as $20 per year per staff member.  Get a risk assessment and then start updating your policies.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

No comment yet.