HIPAA Compliance for Medical Practices
82.7K views | +35 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA Data Backup Plan and Disaster Recovery Plan

HIPAA Data Backup Plan and Disaster Recovery Plan | HIPAA Compliance for Medical Practices | Scoop.it

The requirements of a HIPAA data backup plan and disaster recovery plans are discussed below.

What are the Requirements of a HIPAA Data Backup Plan?

A HIPAA data backup plan is a component of the administrative safeguards that must be implemented under the HIPAA Security Rule.


The data backup plan, which is part of the administrative safeguard requirement to have a contingency plan, consists of establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI).


Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.


Data that is secured and backed up must be capable of being recovered (i.e., must be recoverable or retrievable).


The requirement that data be capable of being recovered comes from a related provision of the contingency plan requirement – the disaster recovery plan requirement.


Under a disaster recovery plan, a covered entity or business associate establishes (and implements as needed) procedures to restore any loss of data.

What Should I Consider When Developing a HIPAA Data Backup Plan?

When developing a HIPAA data backup plan, covered entities and business associates should consider the nature of the ePHI that must be backed up, including how many identifiers the ePHI has. 


The HIPAA Security Officer should make an inventory of all sources of data, to determine the nature and type of ePHI an organization stores.


There are many potential sources of ePHI. These include, among others, patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, and any other electronic documents created or used.

Where Should I Store Backup Copies of Data?

There are two types of backup storage organizations should use:


Backup #1 (Local Storage Backup): The first kind of backup (Backup #1) you should use is backup through a local, onsite appliance. In this kind of data backup, backup data is stored on a local storage device (appliance), such as a hard disc, CD, or hard drive.

Backup #2 (Offsite Backup): The second kind of backup is offsite backup. Offsite backup consists of either backing up data to the cloud, or storing backup data at an offsite facility. Storing backup data with a HIPAA compliant cloud provider allows an organization to easily retrieve information from the cloud.


With cloud storage, backup data can be retrieved at any time. Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

What is the Difference Between a HIPAA Data Backup Plan and a Disaster Recovery Plan?

The difference between backups and disaster recovery is a matter of scope. Backing up data refers to backing up actual copies of data.


A backup plan does not take disaster response into account. A disaster recovery (DR) plan, in contrast, is a strategy for disaster event response, which response includes deployment of the backups – in other words, putting the backups into action.

What Steps Does the Disaster Planning Process Consist of?

There are four essential steps to complete in the disaster recovery planning process. These are discussed in turn.


Step 1: Performing a Business Impact Analysis (BIA)


A business impact analysis (BIA) is a thorough assessment and inventorying of an organization’s virtual environment.


In this process, the organization must take into account the volume and type of data that is being managed; where the data is being stored; how much in terms of resources and time must be expended to restore access to different types of data; and how critical each type of data is to business operations.


The more vital the data is to the business’s ability to function, the higher that data’s priority of restoration, and resource allocation, should be.


Step 2: Performing a Risk Assessment


Conducting a risk assessment consists of running and evaluating hypothetical external situations that can hurt your business. External situations that can damage your business include natural disasters, such as hurricanes and blizzards.


External situations also include man-made events, such as active shooter situations and acts of terror. 


When conducting the risk assessment, an organization should consider all potential external incident types, and the likelihood of their occurrence.


The organization should also consider the nature and severity of the impact each incident may have on the organization’s ability to continue normal operations.


It is necessary to consider all the possible incident types, as well as the impact each may have on the organization’s ability to continue to deliver its normal business services.


In preparing the risk assessment, organizations should review all records and sources of information at their disposal to assess the threat posed by each instance. Records and sources of information can include, for example:

  • Employee recollection of prior disruptive events and how they affected business operations;
  • First-responder organizations advice; and
  • Disaster recovery resource libraries from government agencies, such as the Federal Emergency Management Agency (FEMA).


Step 3: Create a Risk Management Strategy


Once you have identified data processes and the business impacts of disruptions to them, combined with likelihood of a given disaster taking place, you should develop a risk mitigation strategy. This strategy should provide for specific backup solutions and disaster recovery procedures for critical data.


Factors to consider in developing a strategy (among others) include legal factors (laws may restrict where data can be stored); recovery point objectives (RPOs), which measure how much data an organization can afford to lose as the result of a disaster; and recovery time objectives (RTOs), which are metrics that calculate how quickly an organization needs to recover IT services and infrastructure after a disaster to maintain business continuity. 


Step 4: Configure and Run Testing Exercises on Your Disaster Recovery Plan


Once the risk management strategy is in place, you must engage in testing scenarios to ensure that strategy is properly configured. Testing exercises can differ in complexity.


The goal of any testing exercise is to ensure that data has been backed up in accordance with your recovery point objectives, and to ensure that the strategy actually works.


Once testing has confirmed that the risk management strategy is sound, the strategy is “ready to use.” Bear in mind, however, that testing should not be conducted only before strategy rollout.


Testing should be performed continuously – especially after an incident occurs. This way, you can refine and make changes to the strategy you deploy.


Data backup plans and disaster recovery plans are required under the HIPAA Security Rule. Implementing robust backup and disaster recovery plans can help keep your business running smoothly and securely. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

mark's curator insight, May 3, 10:44 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.


If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE




Healthcare Mobile Apps, the Cloud, and HIPAA Compliance

Healthcare Mobile Apps, the Cloud, and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it
Google Fit, Apple Health Kit, and even the Affordable Care Act have companies scrambling to build healthcare-focused mobile apps and/or upgrade existing medical devices. However, the process of bringing a new product to market in the healthcare industry brings about a whole other set of challenges. Not only do you have to worry about a product’s design and functionality, but now there’s the issue of HIPAA compliance and whether your product meets the criteria for FDA regulation. If you’re interested in building a healthcare-focused mobile app or medical device, don’t let these things deter you from doing so. Instead, let’s go over a few things you’ll need to be aware of before you jump in with both feet.
What is HIPAA?

The Health Insurance Portability and Privacy Act, also known as HIPAA, was first signed into law in 1996. HIPAA was written with the intent to protect individuals from having their healthcare data used or disclosed to people or agencies that have no reason to see it. It has two basic goals:

1.) Standardize the electronic exchange of data between health care organizations, providers, and clearinghouses.
2.) Protect the security and confidentiality of protective health information.

There are four rules of HIPPA, but today we’ll focus on the HIPAA Security Rule.
What is PHI?

Protected Health Information (PHI) includes medical records, billing information, phone records, email communication with medical professionals, and anything else related to the diagnosis and treatment of an individual. Examples of non-PHI include steps on your pedometer, calories burned, or medical data without personally identifiable user information (PII).

When building a healthcare app or medical device with the intent to collect, store, and share PHI with doctors and hospitals, it is absolutely mandatory make sure you’re HIPAA-compliant (or else you’ll face some hefty fines). Additionally, if you’re planning on storing data in the cloud, you must take appropriate measures to ensure you’re properly securing the data and working with a HIPAA-compliant cloud storage service, too.

Here are some steps you’ll need to take:
Determine if your mobile app or medical device must be HIPAA-compliant.

Are you collecting, sharing, or storing personally identifiable health data with anyone who provides treatment, payment and operations in healthcare (aka a covered entity)? If yes, then you must be HIPAA-compliant.
Determine if your mobile app or medical device must FDA-regulated.

The U.S. Food and Drug Administration (FDA) regulates medical devices to ensure their safety and effectiveness. If you plan to market your product as a medical device, then it may be subject to the provisions of the Federal Food Drug & Cosmetic (FD&C) Act. Find out if your product meets the definition of a medical device as defined by section 201(h) (or a radiation-emitting product as defined in Section 531) on the FDA website. (Visit Is This Product a Medical Device? for more information.) You can also contact the FDA directly if you are unsure whether your mobile app is considered a “Mobile Medical App” and will need to be FDA-regulated. (See Mobile Medical Applications.)
Work with a HIPAA-compliant cloud storage service provider.

Storing data in the cloud is appealing to the healthcare industry because of the amount of data that needs to be stored and easily accessible yet remain secure. The cloud allows individuals and businesses to store large amounts of information in massive data centers around the globe, rather than on internal servers and software. That data can be accessed from anywhere, anytime. Depending on the amount of data (which in healthcare can be A LOT), it can be more cost-effective to store data in the cloud when you account for the costs of hardware, maintenance, staff, and energy when storing locally.

That being said, you need to make sure you’re working with a HIPAA-compliant cloud storage service provider, like Amazon Web Services or Google Apps, though there are several others you can consider.
Get a signed Business Associate Agreement.

Just because you’re working with a HIPAA-compliant cloud storage service provider doesn’t mean you’re covered. Any vendor or subcontractor who has access to PHI is considered a Business Associate, and therefore must sign a Business Associate Agreement. That includes your cloud storage service provider.
Secure sensitive data.

Developers should take appropriate safeguards to ensure that PHI is secure and cannot be accessed by unauthorized individuals. People lose their smartphones and iPads or don’t enable passcodes at all, so it’s even more important to make sure the app or medical device is HIPAA-compliant. Things like data encryption, unique user authentication, strong passwords, and mobile wipe options are just a few requirements. See InformationWeek’s article about developers and HIPAA compliance for additional information.

Finally, there is no official certification process to ensure that you’re in compliance with HIPAA’s Security Rule. The U.S. Department of Health and Human Services website states:

“The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (e-PHI) that is collected, maintained, used or transmitted by a covered entity. Compliance is different for each organization and no single strategy will serve all covered entities.” (HHS.gov)

That means that it is up to the organization to implement its own strategy and follow the requirements, or else face those hefty fines.

So that’s an overview of HIPAA compliance. Have you gone through this process? What obstacles did you face? Are you interested in building a mobile app or medical device but concerned about the regulations? Leave a comment below, or send us an email with your questions.
No comment yet.

Insurer Loses Thousands of Records

Insurer Loses Thousands of Records | HIPAA Compliance for Medical Practices | Scoop.it

The loss of thousands of paper records for those with coverage from a Philadelphia-based health insurer sends a strong reminder that all employees within organizations need to be trained on data security best practices.

Independence Blue Cross is notifying 12,500 members that four boxes containing reports with sensitive information are missing.

In October, the boxes were moved from one floor of the Blue Cross plan's office to another, the insurer says in a statement provided to Information Security Media Group. The boxes, however, never arrived at their intended destination.

"We initially believed that these boxes had been sent to our offsite storage facility," the insurer says. "On Nov. 14, we determined that the boxes had not been placed in storage, but were discarded by the maintenance team in error. We also determined that the method used to discard these boxes did not meet the company's standards for disposing of member information."

The incident highlights the importance training all personnel within an organization on information security practices, says privacy and security consultant Rebecca Herold. "Had these maintenance workers had training on how to protect sensitive information?" she asks. "Were procedures followed for making a request to move paper documents as opposed to disposing [them]? All these basic, low-tech types of activities can have significant impacts to privacy and security, as this incident shows."

In addition, occasional reminders and awareness communications need to be sent frequently to staff as part of a good risk management plan, Herold says. "It [also] points to the need to have documented procedures for moving any form of protected health information," she says.

Information at Risk

Information that may have been exposed includes member name, address, home phone number, physician name, healthcare plan and group number. Approximately 8,800 of the impacted members also had their member identification number (Social Security number with a two-digit suffix) included in the reports, the insurer says.

Those whose member identification numbers were potentially exposed are being offered free credit monitoring for one year. Independence Blue Cross says it has not received any reports of misuse of member information thus far.

"To reduce the risk of another incident, we no longer allow our maintenance team to dispose of full boxes in the trash," the insurer says. "We are also reminding all associates of our existing policies and the appropriate safety precautions to take when discarding reports that contain member information or other sensitive and proprietary information."

No comment yet.

The Cloud is Good, But Know Where Data Go

The Cloud is Good, But Know Where Data Go | HIPAA Compliance for Medical Practices | Scoop.it
A recent settlement announcement from the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) highlights the need to evaluate web-based applications and storage solutions. Web-based or cloud solutions are viable options and tools for healthcare entities to utilize, but those tools need to evaluated for compliance with HIPAA security requirements.

Saint Elizabeth’s Medical Center (“SEMC”), located outside of Boston, MA, learned this lesson the hard way. On November 16, 2012, certain workforce members at SEMC reported suspected non-compliance with HIPAA to OCR. The report focused upon use of an internet-based document sharing and storage application. The specific site is not identified in the OCR Resolution Agreement, but Dropbox is an example of an online storage site that does not meet HIPAA security requirements. OCR notified SEMC of the results of its investigation on February 14, 2013. Fast forward a year and SEMC then reported a breach regarding a workforce member’s unsecured laptop and USB storage device. The combination of events led OCR to conclude that SEMC failed to implement sufficient security measures required by HIPAA and SEMC did not timely identify or mitigate harmful effects from identified deficiencies.

As a result of the two reported incidents, SEMC is now paying $218,400 to OCR in settlement funds. The settlement continues to trend of not being able to accurately guess the amount of a fine that will be levied. As stated in the announcement, OCR “takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed.” This statement potentially gives some insight, which can be interpreted to mean that entities with bigger pockets will be hit with larger fines because such entities can absorb larger fines.

The other consideration raised by the SEMC settlement is what to do about cloud based storage and sharing solutions. Should all such tools be locked away from use healthcare organizations? This is not necessarily the answer because some tools do follow HIPAA security requirements. For example, some cloud storage services were built specifically for healthcare, and as such are more cognizant of applicable regulatory requirements. More general sites, such as Box, noted HIPAA requirements and claim to meet required standards. As such, it is possible for organizations to utilize cloud based options.

However, it is not necessarily the choices of an organization as a whole that are troublesome. In SEMC’s case, it is not clear whether the workforce members acted under SEMC’s direction or utilized the cloud sites without SEMC’s direct knowledge. The unsupervised actions of workforce members are what can cause an organization a lot of concern. Organization’s need to train and educate workforce members, but cannot always control their actions. Despite the inability to constantly track what a workforce member is doing, certain steps could be taken to alleviate concerns. One measure would be to block access to websites that could lead to a potential breach or other non-compliance. Such a measure may not make all workforce members happy, but an organization should assess its risks and take appropriate measures. Additionally, an organization can suggest sites that are compliant be used.

Regardless of the approach taken, organizations need to be cognizant of the risks posed by cloud based storage, especially on the individual level. OCR’s settlement with SEMC is only the most recent action to highlight the concern. As has been stated before, once OCR releases a settlement addressing an issue, subsequent organizations with the same issue can expect greater focus on the identified issue and less leniency when it comes to a violation.
No comment yet.

VA Healthcare Data Breach Exposes Info of 7,000 Veterans | HealthITSecurity.com

The VA experienced a healthcare data breach after a third-party vendor allegedly had an online security flaw.

The Department of Veterans Affairs (VA) experienced yet another healthcare data breach, as it announced last week that approximately 7,000 veterans’ information was potentially exposed after a contractor’s database flaw.

The VA was notified of the incident on Nov. 4, and said that it was due to a potential flaw in a vendor’s system, according to Federal News Radio. The VA told the news source that the vendor was supposed to provide home telehealth services to veterans. More than 790,000 veterans reportedly took advantage of this program in 2014.

“An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern,” the spokesman said. “The contracted vendor has assured VA that only vendor staff and VA staff had accessed this information. The security flaw in the vendor database was immediately corrected and VA continues to closely monitor the application.”

Information that was potentially exposed via the internet includes names, addresses, dates of birth, phone numbers and VA patient identification numbers. Veterans who were possibly affected have been notified by the VA and are being offered complementary credit protection services.

The VA did not name the vendor that was involved. However, according to the third-party company, no data was actually exfiltrated through the security hole. Rather, the information was potentially seen after a database was inadvertently exposed online, according to the Federal Times.

This is just the latest in long line of cybersecurity issues for the VA. In November, the agency failed its annual cybersecurity audit for the 16th straight time. Full results were not released, but VA Chief Information Officer Stephen Warren presented the audit results at a House Veterans Affairs Committee hearing. According to Warren, the results were disappointing, especially since “significant time and effort” were put into 2014.

Even so, auditors told VA leaders that noticeable progress had been made from the year before. In 2013, the IG found 6,000 specific cybersecurity vulnerabilities and made 35 separate recommendations to close weaknesses. This year, the IG said the list of vulnerabilities had been cut by 21 percent.

The cybersecurity report followed a US Government Accountability Office (GAO) investigation that also said the VA was lacking in terms of cybersecurity. While the VA took action to fix problems that led to a 2012 breach, the GAO stated that weaknesses identified on VA workstations had not been corrected in a timely manner. This could increase the risk that sensitive data, such as veterans’ personal information, can be compromised.

“Specifically, by not keeping sufficient records of its incident response activities, VA lacks assurance that incidents have been effectively addressed and may be less able to effectively respond to future incidents,” the GAO report stated. “In addition, without fully addressing an underlying vulnerability that allowed a serious intrusion to occur, increased risk exists that such an incident could recur.”

These security issues demonstrate why healthcare organizations must not only maintain their own cybersecurity measures, but also ensure that all third-party companies have current protections in place. Creating business associate agreements (BAA) that account for cybersecurity issues are critical, and can help keep all parties accountable should a healthcare data breach occur. The contract will also clarify and limit how a business associate uses and discloses protected health information (PHI). Without a clear BAA, it can be more difficult to maintain patients’ privacy and mitigate a possible healthcare data breach.

No comment yet.

Cloud still sparks fear of breaches | Healthcare IT News

Cloud still sparks fear of breaches | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

These days, it seems, data breaches and hacking are regular news in health — and across industries.

The fear of breaches, subsequent fines and reputation loss are among the reasons why some healthcare technology leaders have been hesitant to embrace cloud-based technology writ large. They need not fear, but should be informed.

Indeed, almost 20 percent of healthcare organizations have suffered a security breach, some 804 breaches have occurred with more than 500 patient records between 2009 and 2013, and this summer the hospital network Community Health Systems was hacked, according to a report from the Institute for Health Technology Transformation, or iHT2.

Looking outside of healthcare, there have been frightening breaches of cloud-based data, like the 2011 incident involving Sony’s PlayStation 3 accounts on Amazon Web Services. Then there’s the celebrity photo hacking in Apple accounts, which actually happened through password guessing, not cloud-system hacking, but nonetheless contributes to the fear.

One health cloud skeptic is Chris Logan, chief information security officer of Care New England, a three-hospital system based in Providence, R.I. Though the system’s vendor, Cerner, has a remote-hosted EHR, Logan told iHT2 he still prefers a dedicated infrastructure over a multi- tenant public cloud.

“Most cloud vendors have huge servers and are carving pieces up to give to customers. The thing that scares me about that is, what if the controls aren’t in place and my data slips into somebody else’s environment, or their data slips into my environment? What’s the downstream issue there? What’s the effect? It’s significant.”

HIPAA is starting to take care of that, with its most recent update in 2013 specifically defining cloud services as business associates, which have to comply with HIPAA security rules and also take on direct liability for security breaches.

Even with the BA protection, though, there’s still a risk for healthcare organizations. “Your name and your reputation are always at stake if there’s a security breach,” Jeff Pearson, CIO at Trinity Mother Frances Hospitals and Clinics, in Tyler Texas, told the report's authors. “So you have to worry that if you make a poor choice of a cloud vendor, your organization is still going to suffer.”

While there is no undoing bad PR stemming from a breach, health organizations can dig deep into their contracts with cloud vendors and negotiate upward on caps for damages stemming from breaches.

Relatedly, one of the biggest factors to consider in the long-term is long-term subscription cost, according to iHT2. Renting cloud-space may not necessarily be cheaper than purchasing and hosting an internal system.

"Most cloud services are by subscription, and subscription fees come out of our operating budget," David Reis, chief information security officer at Lahey Health, in Burlington, Mass., told the researchers. “When we buy a system, we can capitalize that cost and it doesn’t count against our operating budget. So financing these cloud services is a very significant inhibitor. This has been a conversation at Lahey for the 2.5 years I’ve been here. It’s the undiscussed story of the cloud.”

On the flip-side, in-house systems face the costs of downtimes — as much as $264 per minute for a 500-bed hospital.

“Most on-premises systems have downtimes,” said Drew Koerner, chief healthcare solutions architect at cloud service company VMware. “The people who run the cloud-based infrastructure — including us — have got 10 times less downtime than you would have within an on-prem system.”

In the end, healthcare organizations with mixed feelings about the cloud may want to watch their peers — and learn from them.

More than 83 percent of hospitals and health systems are using the cloud for at least some technology, according to a recent HIMSS Analytics survey of 150 organizations. About half are using the cloud for clinical operations, about three quarters are using it for administration and about three quarters are using hybrid cloud services that give them more control over their data but less than the full potential for savings promised by large public clouds.

A bit less than a quarter of the hospitals and health systems surveyed are using the public cloud, which is available to the general public and, according to vendors, can yield savings of up to 40 percent over five years, compared to internal hosting, while private clouds come with savings of up to 20 percent.

Wary health organizations should know, too, that some business throughout the rest of the economy are also waiting before diving in. Less than 40 percent of cloud users across industries are using a public cloud, according to a 2013 survey by North Bridge Venture Partners.

No comment yet.