BACKGROUND IMAGE: StudioM1/iStock

E-Handbook:

Explore health IT data storage strategies

Manage Learn to apply best practices and optimize your operations.

HIPAA requirements steer data protection in healthcare

Although HIPAA may not specify how to protect patient data in the event a system goes down, its requirements make it clear data must remain available and secure.

In most cases, adherence to HIPAA requirements requires a multipronged approach to healthcare data disaster re...

covery.

The aspects to consider include the following:

  • backup and recovery
  • continuity of business
  • data lifecycle management
  • security

Let's look at each of these elements in more detail.

Backup and recovery

This aspect is self-explanatory. The organization must be able to make an exact copy of its data and do so in a way that guarantees that the information will be recoverable if it is ever needed. HIPAA requirements compel all covered entities to guarantee the confidentiality, integrity and availability of their electronic protected health information (PHI).

One of the key considerations with regard to backup and recovery is documentation. In addition to documenting things like backup procedures, operators and security measures, it is important to document the recovery point objective and the recovery time objective, as well as the rationale for each.

Continuity of business

HIPAA requirements clearly state that electronic PHI must remain available. As such, it is important to have a good business continuity plan, which some IT pros refer to as a disaster recovery plan.

Continuity of business planning entails coming up with a plan for keeping data and mission-critical applications available following a failure. The scope of a healthcare provider's plan can vary depending on the types of patients that it treats. For instance, a large hospital that treats critically ill patients needs to keep critical systems online no matter what. Thus, a continuity of business plan might entail switching critical workloads over to one of several alternate data centers in the event of a major failure.

Business continuity and disaster recovery planning

In contrast, a small physical therapy provider probably wouldn't require steps that are elaborate or expensive. The important thing is to make sure that the plan is justifiable.

Remember that the HIPAA security rule does not mandate the use of specific technologies, and it leaves the selection of technologies and products up to the individual provider. HIPAA does enable an organization to consider cost as a factor when selecting products or technologies, but requires that "reasonable and appropriate security measures must be implemented," according to federal regulations.

Data lifecycle management

Data lifecycle management refers to retaining data for the length of time required by law, and then purging expired information when it is no longer needed.

Data lifecycle management is often thought of as being completely separate from a provider's backup and recovery initiatives. Even so, there are two reasons why data lifecycle management should be considered as a part of the organization's overall disaster recovery plan.

First, some backup vendors have begun integrating data archival and data lifecycle management functionality into their software. Second, it isn't enough to simply retain data for the required length of time. Rather, a healthcare provider must have a way of recovering its data archives if they are lost, corrupted or destroyed.

Security

Security is a central theme throughout HIPAA requirements. The HIPAA security rule establishes standards for how to protect electronic PHI.

The secure handling of data extends to any format containing sensitive patient data, including backups. If, for example, a covered entity performs tape backups, then it must have a plan for protecting those tapes and their contents.

Further, there may be some data that is locked away in proprietary systems that are not tied to the rest of the network. Some older picture archiving and communication systems, for example, rely on proprietary and often isolated storage. Health IT departments must identify such data silos and work to either eliminate them or develop a strategy for protecting the data within.

Regardless of how a healthcare provider approaches its data protection and disaster recovery initiatives, its procedures, technologies and security initiatives must be documented. Because so many of HIPAA's technical safeguards are open to interpretation, it is also important to document the rationale for the organization's various policies, procedures and technology selections.

Next Steps

Avoid these seven business continuity pitfalls

Ask the expert: What is a HIPAA business associate?

Most hospitals plan for EHR data recovery

This was last published in June 2017

Dig Deeper on Electronic medical records security and data loss prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you apply HIPAA regulations to your data disaster recovery plans?
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close