HIPAA Compliance for Medical Practices
82.6K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Data Backup Plan and Disaster Recovery Plan

HIPAA Data Backup Plan and Disaster Recovery Plan | HIPAA Compliance for Medical Practices | Scoop.it

The requirements of a HIPAA data backup plan and disaster recovery plans are discussed below.

What are the Requirements of a HIPAA Data Backup Plan?

A HIPAA data backup plan is a component of the administrative safeguards that must be implemented under the HIPAA Security Rule.

 

The data backup plan, which is part of the administrative safeguard requirement to have a contingency plan, consists of establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI).

 

Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.

 

Data that is secured and backed up must be capable of being recovered (i.e., must be recoverable or retrievable).

 

The requirement that data be capable of being recovered comes from a related provision of the contingency plan requirement – the disaster recovery plan requirement.

 

Under a disaster recovery plan, a covered entity or business associate establishes (and implements as needed) procedures to restore any loss of data.

What Should I Consider When Developing a HIPAA Data Backup Plan?

When developing a HIPAA data backup plan, covered entities and business associates should consider the nature of the ePHI that must be backed up, including how many identifiers the ePHI has. 

 

The HIPAA Security Officer should make an inventory of all sources of data, to determine the nature and type of ePHI an organization stores.

 

There are many potential sources of ePHI. These include, among others, patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, and any other electronic documents created or used.

Where Should I Store Backup Copies of Data?

There are two types of backup storage organizations should use:

 

Backup #1 (Local Storage Backup): The first kind of backup (Backup #1) you should use is backup through a local, onsite appliance. In this kind of data backup, backup data is stored on a local storage device (appliance), such as a hard disc, CD, or hard drive.

Backup #2 (Offsite Backup): The second kind of backup is offsite backup. Offsite backup consists of either backing up data to the cloud, or storing backup data at an offsite facility. Storing backup data with a HIPAA compliant cloud provider allows an organization to easily retrieve information from the cloud.

 

With cloud storage, backup data can be retrieved at any time. Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

What is the Difference Between a HIPAA Data Backup Plan and a Disaster Recovery Plan?

The difference between backups and disaster recovery is a matter of scope. Backing up data refers to backing up actual copies of data.

 

A backup plan does not take disaster response into account. A disaster recovery (DR) plan, in contrast, is a strategy for disaster event response, which response includes deployment of the backups – in other words, putting the backups into action.

What Steps Does the Disaster Planning Process Consist of?

There are four essential steps to complete in the disaster recovery planning process. These are discussed in turn.

 

Step 1: Performing a Business Impact Analysis (BIA)

 

A business impact analysis (BIA) is a thorough assessment and inventorying of an organization’s virtual environment.

 

In this process, the organization must take into account the volume and type of data that is being managed; where the data is being stored; how much in terms of resources and time must be expended to restore access to different types of data; and how critical each type of data is to business operations.

 

The more vital the data is to the business’s ability to function, the higher that data’s priority of restoration, and resource allocation, should be.

 

Step 2: Performing a Risk Assessment

 

Conducting a risk assessment consists of running and evaluating hypothetical external situations that can hurt your business. External situations that can damage your business include natural disasters, such as hurricanes and blizzards.

 

External situations also include man-made events, such as active shooter situations and acts of terror. 

 

When conducting the risk assessment, an organization should consider all potential external incident types, and the likelihood of their occurrence.

 

The organization should also consider the nature and severity of the impact each incident may have on the organization’s ability to continue normal operations.

 

It is necessary to consider all the possible incident types, as well as the impact each may have on the organization’s ability to continue to deliver its normal business services.

 

In preparing the risk assessment, organizations should review all records and sources of information at their disposal to assess the threat posed by each instance. Records and sources of information can include, for example:

  • Employee recollection of prior disruptive events and how they affected business operations;
  • First-responder organizations advice; and
  • Disaster recovery resource libraries from government agencies, such as the Federal Emergency Management Agency (FEMA).

 

Step 3: Create a Risk Management Strategy

 

Once you have identified data processes and the business impacts of disruptions to them, combined with likelihood of a given disaster taking place, you should develop a risk mitigation strategy. This strategy should provide for specific backup solutions and disaster recovery procedures for critical data.

 

Factors to consider in developing a strategy (among others) include legal factors (laws may restrict where data can be stored); recovery point objectives (RPOs), which measure how much data an organization can afford to lose as the result of a disaster; and recovery time objectives (RTOs), which are metrics that calculate how quickly an organization needs to recover IT services and infrastructure after a disaster to maintain business continuity. 

 

Step 4: Configure and Run Testing Exercises on Your Disaster Recovery Plan

 

Once the risk management strategy is in place, you must engage in testing scenarios to ensure that strategy is properly configured. Testing exercises can differ in complexity.

 

The goal of any testing exercise is to ensure that data has been backed up in accordance with your recovery point objectives, and to ensure that the strategy actually works.

 

Once testing has confirmed that the risk management strategy is sound, the strategy is “ready to use.” Bear in mind, however, that testing should not be conducted only before strategy rollout.

 

Testing should be performed continuously – especially after an incident occurs. This way, you can refine and make changes to the strategy you deploy.

 

Data backup plans and disaster recovery plans are required under the HIPAA Security Rule. Implementing robust backup and disaster recovery plans can help keep your business running smoothly and securely. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 10:44 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

Is healthcare prepared for data-sharing's security risks?

Is healthcare prepared for data-sharing's security risks? | HIPAA Compliance for Medical Practices | Scoop.it

The data-sharing requirements for the Meaningful Use program and the Affordable Care Act pose significant security challenges to healthcare organizations, and Erik Devine, chief security officer at Riverside Medical Center, predicts organizations will learn this year just how prepared they are.

In an interview with HealthcareInfoSecurity, Devine says his 370-bed hospital in Kankakee, Illinois, will focus on employee training, making sure systems are patched and third-party review--"making sure we're doing what our policies say we're doing."

He foresees more persistent threats in 2015, such as the Sony hack and other breaches seen last year.

"I think healthcare is going to see a lot of attacks in ransomware," Devine says. "Employees leaking data unknowingly is a big threat to healthcare systems. Hackers are going to take advantage of that and look for the monetary value in return."

Health information exchanges will pose particular challenges, he adds.

"Are we prepared to manage all the information that's flowing in and out of the system? ... Trying to get information for the patient out there in the real world so they have better experiences at any hospital they visit will obviously will carry significant risks. Is healthcare ready for that change? That's what we're going to determine in 2015 and further."

In its 2015 Data Breach Industry Forecast, Experian called healthcare "a vulnerable and attractive target for cybercriminals." However, it noted that employees remain the leading cause of compromises, but receive the least attention from their employers.

Security experts foresee phishing and ransomware attacks posing particular challenges to healthcare organizations in the coming year.

To help protect against threats like those, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Entities such as the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance provide information on threats, malware and vulnerabilities that organizations can use to increase their security systems, Bell says. Vendors of security products also often have their own intelligence feeds.

No comment yet.
Scoop.it!

One year after Target, how to protect yourself from massive data breaches

One year after Target, how to protect yourself from massive data breaches | HIPAA Compliance for Medical Practices | Scoop.it

Another data breach was discovered Tuesday, this time at Sony. Unreleased movies were leaked on the Internet.

It comes almost a year after a massive data breach at Target.

One expert said the main reason for these breaches: Hackers are getting even better.

“If stores ever find a surefire way to stay protected, hackers will find a better way to get into them,” said Craig Smith, chief investigator at Bright Star Investigations.

He said it’s not a question of business filing practices.

The blame goes to the hackers.

“They thrive on new ways to exploit technology,” he said. “There's hackers that do it for fun, want to make a political point, steal money and they want to create havoc, chaos and mayhem.”

His best advice to stay safe – prepaid cards offered by companies like Visa and American Express.

Instead of carrying cash, load the amount onto that card and spend just like you would your debit card.

“You're gonna get the same benefit, same protections. If the store gets hacked, the only thing they'll get is your prepaid card information,” Smith said.

As to avoiding hackers, Smith said it's just not possible because technology gives them even greater access.

Other ways to avoid hackers, or at least protect yourself if you’ve been hit:

  • Constantly monitor bank and credit card accounts
  • Pay in cash
  • Use ATMs at bank locations you trust
  • Sign up for text alerts so you end up getting alerts when massive purchases have been charged to your account.



No comment yet.
Scoop.it!

Cyber-Insurance: How Much Is Enough?

Cyber-Insurance: How Much Is Enough? | HIPAA Compliance for Medical Practices | Scoop.it

Mega-breaches, including the recent hacking attack on Anthem Inc., always result in an uptick of interest in cyber-insurance; but determining how much coverage to buy is an ongoing challenge, says data privacy attorney Marc Voses.

"Every single industry after an event like this sees an uptick in the interest in purchasing cyber- insurance," says Voses, a partner at law firm Kaufman Dolowich & Voluck, LLP. "Over the years since cyber-insurance has been made available, the limits [for dollar value of coverage] ... are increasing at an exponential rate."


After the Target data breach, "the retail industry went streaming into the brokers wanting to find out more about the products and shift more risk onto the insurance carriers in the event of a data breach," Voses says.

Organizations considering cyber-insurance need to ponder how much is enough to offset the potential costs involved not only with breach response expenses, such as notification, but also potential lawsuits and government fines, he says in an interview with Information Security Media Group.

In the aftermath of the Anthem incident, several class action lawsuits already have been filed, including a suit seeking $5 billion that was filed in California just one day after Anthem announced the breach, he notes.

For Home Depot, breach-related expenses are estimated at about $70 million so far, while the company reportedly had cyber-insurance coverage for $100 million, Voses says. In the Target breach, expenses are estimated at about $150 million, which apparently exceeds the company's cyber-insurance coverage, which was reportedly only $40 million, he notes.

In this interview, Voses also discusses:

  • Possible regulatory investigations and other government actions that might result from the Anthem breach;
  • What the HIPAA security rule says about the use of data encryption to prevent breaches;
  • The key privacy and other lessons that are emerging from the Anthem breach so far.

Voses is a partner at the New York City office of national law firm Kaufman Dolowich & Voluck, representing domestic and international insurers and reinsurers, and their insureds, in coverage and liability disputes. He is a litigator who has been called upon to address complex coverage and liability issues involving cyber, data and privacy exposures, management and professional liabilities, environmental liabilities and commercial general liability matters.


No comment yet.
Scoop.it!

Redefining Healthcare Email & Data Archives in the Age of HIPAA

Redefining Healthcare Email & Data Archives in the Age of HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Information technology has long been an enabler of collaboration and openness in the healthcare industry – but it also adds an additional layer of complexity. And in 2003, the U.S. government’s Health Insurance Portability and Accountability Act (HIPAA) added a new level of complication for how healthcare organizations manage patient information. Yet, it’s a double edge sword. Healthcare IT professionals must devise ways to help workers access patient information faster, safely and securely, while maintaining compliance with HIPAA rules and internal protocols.

There’s a simple reason for that complication, personally identifiable information is extremely valuable. Any breach or act of non-compliance that results in the release of personal medical information can have devastating consequences for both patients and the healthcare organization. As a consequence, the healthcare industry is ramping up its efforts to secure systems to better protect sensitive data, adapt to evolving threats and comply with HIPAA.

The goal posts are moving too. Digital patient records on are growing and organizations need to better manage storage while ensuring continuity and maintaining absolute HIPAA compliance. In addition to front line security measures, healthcare organizations are also tasked with ensuring continuity-of-operations through the deployment of highly-secure disaster recovery and backup strategies.

How Archiving Solutions Can Help

Managing the growing complexity of any healthcare organization’s data, while ensuring and maintaining compliance, is no small feat. Communicating patient data  is critical in healthcare environments, and must remain fluid and fast, regardless of the archiving solution in place. It’s also essential that medical staff remains unaffected –access to data and systems should be transparent.

While many healthcare organizations are utilizing secure content collaboration systems like SharePoint to control access to patent data, email is still the primary tool that most healthcare workers use to communicate patient issues, their needs, requirements as well as a growing list of rich media from blood work, x-rays, sonograms, etc. Proper data management policies and sophisticated archiving solutions can help healthcare IT administrators manage storage growth and cost, while maintaining absolute compliance, eDiscovery and continuity. Robust email archiving solutions can help because they archive content from any platform – SharePoint, file servers, and email servers by providing a searchable and federated index, continuity and secure/compliant storage.

Furthermore, in the event of a legal dispute, HIPAA requires that all patient information, whether in a file or within the body of an email, must be securely stored and quickly retrievable. Many organizations stockpile this information on expensive storage without proper data rules to find that data fast. The result is a loss in productivity as administrators spend days or weeks searching through data in order to comply with legal orders.

HIPAA Isn’t Simple

Complying with HIPAA doesn’t just happen, it’s an on-going process best performed by healthcare IT professionals working in concert with their legal and healthcare end users to deliver the right information to give patients the best care possible. Sophisticated platforms such as Exchange can manage all of these tasks from one dedicated interface but healthcare organizations need to alter how they view patient data on a grassroots level.

1. Set and define internal rules. How long will an email be archived for? A blanket policy is best here. Filtering can always be added at a later date but a core, compliant retention policy is key.

2. Make sure everything can be audited. This also applies to every action carried out by an administrator or dedicated compliance asset – not just end users.

3. Everything must be discoverable. Use advanced content indexing across live data and archived metadata.

4. Learn the official rules. Read the Health Insurance Portability and Accountability Act to understand more about the act, its requirements of healthcare workers and the data they create and access, as well as  how it protects patients. While the data storage and accessibility portions are contained in the HIPAA’s Title II section, it is helpful to review Title I for information about helping patients to keep their data portable.

5. Access control. Who should be on the list of “super administrators”? Who can create policies, manage retention times?

6. Identify e-discovery requirements. Double check with the legal department – what needs to be stored? How long? What type of content? What about external consultants? What about mobile device usage?

7. Deletion policy. Considering a purge option is not an easy task. Rules change without notice. Think about moving older data to cheaper forms of secure storage media just in case your organization is asked to produce data.

8. Backup. Daily backups are 100% necessary for databases and Exchange. Take a close look at where you can save time and effort by creating solutions that store changes and not simply create full backups.



No comment yet.