HIPAA Compliance for Medical Practices
82.6K views | +42 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA Data Backup Plan and Disaster Recovery Plan

HIPAA Data Backup Plan and Disaster Recovery Plan | HIPAA Compliance for Medical Practices | Scoop.it

The requirements of a HIPAA data backup plan and disaster recovery plans are discussed below.

What are the Requirements of a HIPAA Data Backup Plan?

A HIPAA data backup plan is a component of the administrative safeguards that must be implemented under the HIPAA Security Rule.


The data backup plan, which is part of the administrative safeguard requirement to have a contingency plan, consists of establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI).


Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.


Data that is secured and backed up must be capable of being recovered (i.e., must be recoverable or retrievable).


The requirement that data be capable of being recovered comes from a related provision of the contingency plan requirement – the disaster recovery plan requirement.


Under a disaster recovery plan, a covered entity or business associate establishes (and implements as needed) procedures to restore any loss of data.

What Should I Consider When Developing a HIPAA Data Backup Plan?

When developing a HIPAA data backup plan, covered entities and business associates should consider the nature of the ePHI that must be backed up, including how many identifiers the ePHI has. 


The HIPAA Security Officer should make an inventory of all sources of data, to determine the nature and type of ePHI an organization stores.


There are many potential sources of ePHI. These include, among others, patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, and any other electronic documents created or used.

Where Should I Store Backup Copies of Data?

There are two types of backup storage organizations should use:


Backup #1 (Local Storage Backup): The first kind of backup (Backup #1) you should use is backup through a local, onsite appliance. In this kind of data backup, backup data is stored on a local storage device (appliance), such as a hard disc, CD, or hard drive.

Backup #2 (Offsite Backup): The second kind of backup is offsite backup. Offsite backup consists of either backing up data to the cloud, or storing backup data at an offsite facility. Storing backup data with a HIPAA compliant cloud provider allows an organization to easily retrieve information from the cloud.


With cloud storage, backup data can be retrieved at any time. Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

What is the Difference Between a HIPAA Data Backup Plan and a Disaster Recovery Plan?

The difference between backups and disaster recovery is a matter of scope. Backing up data refers to backing up actual copies of data.


A backup plan does not take disaster response into account. A disaster recovery (DR) plan, in contrast, is a strategy for disaster event response, which response includes deployment of the backups – in other words, putting the backups into action.

What Steps Does the Disaster Planning Process Consist of?

There are four essential steps to complete in the disaster recovery planning process. These are discussed in turn.


Step 1: Performing a Business Impact Analysis (BIA)


A business impact analysis (BIA) is a thorough assessment and inventorying of an organization’s virtual environment.


In this process, the organization must take into account the volume and type of data that is being managed; where the data is being stored; how much in terms of resources and time must be expended to restore access to different types of data; and how critical each type of data is to business operations.


The more vital the data is to the business’s ability to function, the higher that data’s priority of restoration, and resource allocation, should be.


Step 2: Performing a Risk Assessment


Conducting a risk assessment consists of running and evaluating hypothetical external situations that can hurt your business. External situations that can damage your business include natural disasters, such as hurricanes and blizzards.


External situations also include man-made events, such as active shooter situations and acts of terror. 


When conducting the risk assessment, an organization should consider all potential external incident types, and the likelihood of their occurrence.


The organization should also consider the nature and severity of the impact each incident may have on the organization’s ability to continue normal operations.


It is necessary to consider all the possible incident types, as well as the impact each may have on the organization’s ability to continue to deliver its normal business services.


In preparing the risk assessment, organizations should review all records and sources of information at their disposal to assess the threat posed by each instance. Records and sources of information can include, for example:

  • Employee recollection of prior disruptive events and how they affected business operations;
  • First-responder organizations advice; and
  • Disaster recovery resource libraries from government agencies, such as the Federal Emergency Management Agency (FEMA).


Step 3: Create a Risk Management Strategy


Once you have identified data processes and the business impacts of disruptions to them, combined with likelihood of a given disaster taking place, you should develop a risk mitigation strategy. This strategy should provide for specific backup solutions and disaster recovery procedures for critical data.


Factors to consider in developing a strategy (among others) include legal factors (laws may restrict where data can be stored); recovery point objectives (RPOs), which measure how much data an organization can afford to lose as the result of a disaster; and recovery time objectives (RTOs), which are metrics that calculate how quickly an organization needs to recover IT services and infrastructure after a disaster to maintain business continuity. 


Step 4: Configure and Run Testing Exercises on Your Disaster Recovery Plan


Once the risk management strategy is in place, you must engage in testing scenarios to ensure that strategy is properly configured. Testing exercises can differ in complexity.


The goal of any testing exercise is to ensure that data has been backed up in accordance with your recovery point objectives, and to ensure that the strategy actually works.


Once testing has confirmed that the risk management strategy is sound, the strategy is “ready to use.” Bear in mind, however, that testing should not be conducted only before strategy rollout.


Testing should be performed continuously – especially after an incident occurs. This way, you can refine and make changes to the strategy you deploy.


Data backup plans and disaster recovery plans are required under the HIPAA Security Rule. Implementing robust backup and disaster recovery plans can help keep your business running smoothly and securely. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

mark's curator insight, May 3, 10:44 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.


If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE




Cloud still sparks fear of breaches | Healthcare IT News

Cloud still sparks fear of breaches | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

These days, it seems, data breaches and hacking are regular news in health — and across industries.

The fear of breaches, subsequent fines and reputation loss are among the reasons why some healthcare technology leaders have been hesitant to embrace cloud-based technology writ large. They need not fear, but should be informed.

Indeed, almost 20 percent of healthcare organizations have suffered a security breach, some 804 breaches have occurred with more than 500 patient records between 2009 and 2013, and this summer the hospital network Community Health Systems was hacked, according to a report from the Institute for Health Technology Transformation, or iHT2.

Looking outside of healthcare, there have been frightening breaches of cloud-based data, like the 2011 incident involving Sony’s PlayStation 3 accounts on Amazon Web Services. Then there’s the celebrity photo hacking in Apple accounts, which actually happened through password guessing, not cloud-system hacking, but nonetheless contributes to the fear.

One health cloud skeptic is Chris Logan, chief information security officer of Care New England, a three-hospital system based in Providence, R.I. Though the system’s vendor, Cerner, has a remote-hosted EHR, Logan told iHT2 he still prefers a dedicated infrastructure over a multi- tenant public cloud.

“Most cloud vendors have huge servers and are carving pieces up to give to customers. The thing that scares me about that is, what if the controls aren’t in place and my data slips into somebody else’s environment, or their data slips into my environment? What’s the downstream issue there? What’s the effect? It’s significant.”

HIPAA is starting to take care of that, with its most recent update in 2013 specifically defining cloud services as business associates, which have to comply with HIPAA security rules and also take on direct liability for security breaches.

Even with the BA protection, though, there’s still a risk for healthcare organizations. “Your name and your reputation are always at stake if there’s a security breach,” Jeff Pearson, CIO at Trinity Mother Frances Hospitals and Clinics, in Tyler Texas, told the report's authors. “So you have to worry that if you make a poor choice of a cloud vendor, your organization is still going to suffer.”

While there is no undoing bad PR stemming from a breach, health organizations can dig deep into their contracts with cloud vendors and negotiate upward on caps for damages stemming from breaches.

Relatedly, one of the biggest factors to consider in the long-term is long-term subscription cost, according to iHT2. Renting cloud-space may not necessarily be cheaper than purchasing and hosting an internal system.

"Most cloud services are by subscription, and subscription fees come out of our operating budget," David Reis, chief information security officer at Lahey Health, in Burlington, Mass., told the researchers. “When we buy a system, we can capitalize that cost and it doesn’t count against our operating budget. So financing these cloud services is a very significant inhibitor. This has been a conversation at Lahey for the 2.5 years I’ve been here. It’s the undiscussed story of the cloud.”

On the flip-side, in-house systems face the costs of downtimes — as much as $264 per minute for a 500-bed hospital.

“Most on-premises systems have downtimes,” said Drew Koerner, chief healthcare solutions architect at cloud service company VMware. “The people who run the cloud-based infrastructure — including us — have got 10 times less downtime than you would have within an on-prem system.”

In the end, healthcare organizations with mixed feelings about the cloud may want to watch their peers — and learn from them.

More than 83 percent of hospitals and health systems are using the cloud for at least some technology, according to a recent HIMSS Analytics survey of 150 organizations. About half are using the cloud for clinical operations, about three quarters are using it for administration and about three quarters are using hybrid cloud services that give them more control over their data but less than the full potential for savings promised by large public clouds.

A bit less than a quarter of the hospitals and health systems surveyed are using the public cloud, which is available to the general public and, according to vendors, can yield savings of up to 40 percent over five years, compared to internal hosting, while private clouds come with savings of up to 20 percent.

Wary health organizations should know, too, that some business throughout the rest of the economy are also waiting before diving in. Less than 40 percent of cloud users across industries are using a public cloud, according to a 2013 survey by North Bridge Venture Partners.

No comment yet.