If you store patient's medical records, Social Security Numbers or patients' home addresses you will most likely be subject to HIPAA's data protection requirements.
Backup and Archive your data offsite with BackupSilo. Meet compliance requirements and as a bonus be prepared for disasters and business continuity.
HIPAA (Health Insurance Portability and Accountability Act of 1996) was enacted with a goal to support the protection of personally-identifiable health information (PHI). It limits using and disclosing information about the physical or mental health of an identifiable patient without his or her consent or authorization, as well as specifying the need for safeguards to protect PHI.
- Who must comply: Individuals and enterprises, such as doctors and other healthcare personnel, hospitals, pharmacies, medical billing services, healthcare plans, HMOs, and business associates of these enterprises, such as their accountants and attorneys.
- What it covers: All medical records and other health information that identifies the individual patient.
- Pertinent requirements: Administrative, technical, and physical safeguards that protect the privacy of a patient’s health information by preventing any intentional or unintentional use or disclosure. In addition, records must be recoverable in the event of a small-scale or large-scale disaster.
- Penalties for non-compliance: Up to 10-year prison sentence and fines of $25,000 per year.
HIPAA has supplemental standards, in the form of “final rulings,” which codify how health care providers and those who handle individually-identifiable patient health records must comply. The rulings include provisions that require compliant backup methodologies to ensure that individually identifiable health records remain private and secure. The security and privacy rulings require a backup plan, a disaster recovery plan, and an emergency mode operation plan (Section 164.308).
How BackupSilo's Backup Solutions Can Help
BackupSilo's backup solutions provide critical data security protection without compromising patient privacy. Our solutions help enterprises meet or exceed HIPAA regulations.
Our Backup Solutions Meet Security Requirements Health care providers must implement comprehensive security systems to ensure that they protect electronic patient records against data loss and unauthorized access. A HIPAA-compliant security system must include administrative procedures, physical safeguards, and technical measures to protect patient information while stored, and while transmitted across communications networks. Our Backup solutions implement security and availability features in the following areas:
- Preserves a retrievable, physically secure, off-site, exact copy of patient records with easy, frequent data backups. Encrypts all data before it leaves the customer’s server and keeps it encrypted during transmission and storage. Only the customer has access to the decryption password.
- Protects backup transmissions further by using integrity controls, mutual authentication, access controls, alarms for abnormalities, auditing of failed logins, and event reporting.
- Simplifies disaster recovery with tools to restore lost data quickly.
- Reduces media control risks, compared to traditional disk or tape backup techniques, by eliminating insecure methods of data handling, especially transporting physical media offsite.
- Offers multiple point-in-time backups per day — as often as every 15 minutes — to ensure that recovery is possible with minimal data loss.
- Allows long retention periods — as long as seven years — to meet HIPAA requirements.
Our Backup Solutions Meet Privacy Requirements Under the HIPAA rules for the privacy of personal data, health care providers that engage in electronic transactions must observe privacy safeguards to restrict the use and disclosure of individually identifiable health information. As independent third-party service providers, Our partner IronMountain and its subcontractors are “business associates” under the HIPAA security and privacy rules. If needed, we will work with IronMountain to provide and sign a business associates agreement in conjunction with use of our server backup service. The server backup service and its agents do not receive data for any purpose except to provide data restoration after data loss. Because the data is encrypted before it leaves the customer’s server and only the customer has access to the password, the server backup service and its agents cannot access the data.
Our Backup solutions are important parts of a HIPAA-compliant solution for preventing unauthorized access:
- Secure Transmission and Storage: Customer data is encrypted with 256-bit AES encryption (Server Backup), and then transmitted and stored as encrypted data at vaults that reside offsite at a secure remote facility. With our server backup solution, customer encrypted data may also optionally reside on an appliance at the customer’s site to facilitate rapid recovery.
- Logical Access: Strict controls limit logical access to the data; for example, a secure user interface prevents viewing the contents of data files. In addition, customers can restore data only to the computer where the data originated, or to a computer where the customer has installed the data encryption key. The user interface cannot specify, change, transport, or access data encryption keys.
By preventing loss of data, our backup solutions are also important for HIPAA-compliant strategies:
- Physical Controls: The data center is a hardened underground facility, meeting numerous physical criteria. The facility controls access through administrative procedures, physical safeguards, and technical security measures.Redundant Vaults: All backed-up data resides on two separate, redundant vaults. The data center has redundant bandwidth providers, power, and HVAC.
- Retention for up to Seven Years: Customers can retain historical backups for up to seven years.
Both the server and PC/MAC Backup solutions complement physical safeguards to ensure that recent and vulnerable data receive protection automatically and regularly. This protection is critical, because sources of data are often distributed throughout an enterprise. Many of these sources rarely receive protection because of their remote location or poor resources for manual backup. Our Server and PC/MAC Backup solutions can ensure that backup and protection extend to all areas of the business and their sensitive data.
This automated, regular approach provides auditors with proof of a good-faith attempt on the part of enterprises to protect their vital business information for the purposes of disaster recovery and business continuity. It also ensures data recovery for operations.
BackupSilo’s Encryption and LDD (Lost Data Destruction) solution deletes specified data — and can overwrite data locations to prevent recovery of deleted data — under conditions that administrators define. These conditions include a lost notebook computer, password tampering, and other evidence of unauthorized system access. This solution can prevent potentially disastrous and embarrassing disclosure of data, for example, when notebook computers are lost or stolen.
In addition to meeting the challenges of externally imposed regulations, enterprises must also work proactively to improve their IT processes for security, confidentiality, and robustness. Such proactive enterprises choose business partners and vendors that can assist them to meet these internal goals. SysTrust™ Certification and PCI Compliance are two achievements that demonstrate a partner’s commitment to best practices.
Our partner and solutions provider, IronMountain is SysTrust certified and PCI Compliant.