Choosing a HIPAA Compliant Data Backup Provider
The HITECH act of 2009 imposed stricter penalties for HIPAA violations and extended the regulations to cover businesses that work with records from medical offices. Getting the data backup piece right is now more critical than ever. HIPAA requirements for securing protected health information (PHI) is covered in a series of seven white papers from the Department of Health and Human Services.
The Goals of HIPAA
HIPAA regulations may be complex but their goals are simple. Medical professionals must keep patient data secure, private and easily accessible when it is needed. Implementing data backup procedures lies at the heart of HIPAA security, so choosing the right data backup software provider is absolutely critical.
Fortunately, providers that are HIPAA compliant tend to be proud of the fact and their marketing leads with that info. If a data backup provider doesn’t boast about their HIPAA compliance from the beginning, it’s time to move on.
What to Verify at a Data Backup Provider
Even if a company claims that its data backups are HIPAA compliant, it is really the medical professional’s business that’s on the line. Here are three of the most critical specifications that need to be verified:
- They need to store exact copies of PHI with unlimited revisions. Most normal data backup providers store only five to 10 copies of the most recent revisions.
- The data must be physically secured in a storage facility with controlled access, workstation lock-downs and media controls. These requirements alone put HIPAA-compliant data backups out of reach of most small businesses.
- Ask for a copy of the backup provider’s annual HIPAA-compliance audit. It must be conducted by a reputable outside audit company according to the OCR HIPAA Audit Protocol. This audit details 169 areas where the company must meet or exceed HIPAA requirements.
Examples of HIPAA Compliant Providers
- Nordic BackUp – Nordic is the cloud service of choice for SERT Data Recovery. Nordic is HIPAA compliant with 256-bit AES encryption, and a one step setup that intelligently scans your entire system for important files. Home Plus and Preferred plans automatically backup your system drives and other internal and external hard drives at the same time as securing your data in the cloud.
- Carbonite – This Boston-based cloud-backup service provider was profiled in Inc. magazine’s “500 Fastest Growing Companies in the U.S.” Both its Pro and Server level backup plans are described as HIPAA compliant. Pro is the small-business solution for unlimited workstations. Server is the next step up, covering databases and live server applications, as well.
- Mozy – This provider uses 256-bit AES encryption, twice as strong as the recommended encryption. All data movement during backups and data at rest remains encrypted in their U.S.-based data centers. It guarantees protection against “hardware failure, theft, virus attack, deletion, and natural disaster.” Mozy can also provide the written contingency plans that medical professionals must have in the event of a disaster as required under the law.
- SOS Online – Beyond HIPAA regulations, this provider meets the specifications of SSAE 16/SAS 70 Type II Certification. Its audited data centers have 24-hour surveillance, gated access and on-site security. Data cannot be read in transit or at rest on their servers. No additional contracts are required, however, B.A. agreements are available.
Naturally, there is a great deal more to consider than just HIPAA compliance, even though that must be the primary concern. In addition, small businesses need to investigate data-backup solutions to find out about recurring fees, how much storage space they require and whether the system has to go down during the backup process. Just like implementing the backup themselves, though, once a data backup provider is chosen, everyone in the enterprise will find it much easier to sleep at night.