Meeting HIPAA disaster recovery requirements tough but possible

The HIPAA Security Rule requires all covered entities to create a disaster recovery plan but says little about what should go into such a plan. This tip fills in the gaps.

Under federal law, HIPAA covered entities must implement procedures to protect and secure access to electronic...

protected health information (ePHI). What's more, such entities also had to supply a contingency plan to insure continued ePHI availability during emergencies or disasters.

However, ePHI exists only in conjunction with data processing applications and, thus, can only be recovered together with those systems. Consequently, HIPAA disaster recovery requirements state the need for an ePHI data backup plan, along with disaster recovery and emergency mode operation plans.

  • The intent of the data backup plan was to create systems that allowed for the restoration of all ePHI.
  • The intent of the disaster recovery plan was to identify the processes and procedures needed to insure that ePHI data could be restored in the event of loss.
  • Finally, the intent of the emergency mode operation plan was to describe how operations could continue to protect and secure ePHI during an emergency.

In addition, HIPAA disaster recovery requirements ask that a test and revision procedure and an applications and data criticality analysis for ePHI be "addressable" by all covered entities. Addressable regulations such as these could be dismissed by demonstrating that they were not applicable. For example, these policies need only apply to large ePHI environments; smaller organizations could address them by documenting reasons why they were not relevant to their contingency plan.

Creating a HIPAA data backup plan and choosing an alternate DR site

Ordinarily, many data centers provide for system recovery by using data backups or mirroring/replication.

  • Data backups can be written to removable media, such as tape DVDs or CDs, or they can be placed on alternate storage systems such as virtual tape libraries, other storage or dedicated backup appliances. Data backups are taken periodically, usually duplicated, stored both on and offsite, and preserve multiple versions of data.
  • Meanwhile, data replication or mirroring is used to copy data to another site, which can be a host, network or storage system facility. Mirroring can be scheduled, asynchronous or synchronous. Scheduled data replication can be done every week, every shift or more often. For asynchronous mirroring, data is copied some time after it is modified. In contrast, with synchronous mirroring, copies are made while data is being modified.

Any successful disaster recovery will necessarily depend on the use of an alternate or secondary site. There are three types of disaster recovery sites available.

  • A cold site supplies only power, cooling and networking. Servers, switches and storage must be sent to the location.
  • A warm site adds to the cold site sufficient servers, switches and storage hardware to support ePHI operations in the event of a disaster.
  • A hot site provides warm site hardware plus continuous data mirroring of ePHI data to speed up disaster recovery.

Keep the following in mind when choosing a disaster recovery site.

  • Using a cold site will require special contracts with system vendors to drop ship any and all necessary hardware to the site.
  • For both cold and warm sites, backup data must be transported to the disaster site.
  • For all site types, servers, networking and software systems will need to be reconfigured onsite to support emergency operations.

Creating an all-encompassing disaster recovery plan

HIPAA disaster recovery requirements ask that a test and revision procedure and an applications and data criticality analysis for ePHI be 'addressable' by all covered entities.

In any case, having a backup of ePHI and an alternate site arrangement is required -- but not sufficient -- to support disaster operations. For that to occur, one also needs a disaster recovery and emergency mode operations plan. Although HIPAA disaster recovery requirements place these into two separate policies, many health IT shops cover both mandates with a single, all encompassing disaster recovery plan (DRP). 

Any DRP should include the following five components.

Disaster declaration: The DRP should document the disaster recovery decision process and team participants. Moving operations to an alternate site is always a costly endeavor. Occasionally, temporary or transient issues, such as a power fluctuation, can impact data center operations for a limited time. It's the purpose of the disaster declaration process and team, which generally consist of operations and other senior IT management personnel, to determine if disaster recovery is truly warranted.

Disaster list: The DRP should focus on a select set of high-probability and high-impact events such as natural disasters or other catastrophes. Cataloguing these within the DRP can help IT personnel justify investment in costly backup systems, alternate site(s) and application recovery.

Data backup: Any disaster will necessarily depend on backups or mirrors of current data and applications. As such, backup systems should be well described in the DRP. This information should include the frequency, type and locations of any data and system backups and/or replication done to offsite location(s). Moreover, how data backups are to be shipped to the alternate site -- with procedures, contact lists and transport duration -- should be supplied. Equally important, offsite repositories should be far enough away to insure backup availability in the face of a disaster impacting the primary site. Similar locality constraints apply to alternate site locations.

Alternate site: The DRP should delineate the secondary site capabilities, activation procedures and contact lists. One should also provide instructions as to how technical personnel will access and/or travel to the alternate site.

ePHI recovery: The DRP should identify all ePHI systems and data requirements. Furthermore, the process for restoring ePHI application operations should be fully recorded. Moreover, an application recovery priority list should be produced to determine restoration sequence. Personnel familiar with an application and its operation can often facilitate emergency operations, so names and contact lists for these individuals should be supplied.

Summary: Don't neglect DRP testing, modification

We have identified most of the critical components of any DRP needed to respond to HIPAA disaster recovery requirements. Although not discussed above, addressable policies could be dealt with inside or outside the DRP. Nonetheless, as ePHI applications can be added, deleted or modified, periodic plan tests and resultant corrections are vital to the continuing success of any disaster recovery. 

Furthermore, with natural disasters and security breaches occurring more frequently, the need for a practicable DRP is more essential than ever. In fact, having a viable DRP is something all covered entities should have in place for their own business survival, regardless of HIPAA disaster recovery requirements. 

Ray Lucchesi is president of Silverton Consulting, which focuses on data center and storage strategies and systems. Let us know what you think about the story; email [email protected].

Learn more about HIPAA disaster recovery requirements

  • How virtualized disaster recovery and a virtualized server environment can ensure HIPAA compliance
  • What the Joplin tornado teaches hospitals about disaster recovery planning
  • Questions about the HIPAA Security Rule or disaster recovery? Ask them at the Health IT Exchange!

Dig Deeper on Electronic health records security compliance