Data Backup & HIPAA

The US Department of Health and Human Services (HHS) through their HIPAA rules have enacted several mandates to improve the access and portability of patient health records while maintaining strict privacy and security. A critical aspect of the HIPAA privacy ruling is Data Protection, requiring compliant backup methodologies to ensure the security and confidentiality of patient records. Health care providers who engage in electronic transactions must observe privacy safeguards to restrict the use and disclosure of individually identifiable health information.

Virtual Density supports HIPAA compliance through automated off-site data protection with on-demand recovery, while ensuring strict data security and confidentiality.

HIPAA Requirements Regarding Patient & Practice Data

Restrict Unauthorized Access
Patient record confidentiality is critical. Any electronic data transfer and storage must be adequately protected and secure from all unauthorized access.

Contingency Plan
Organizations are required to have a contingency plan to continue operations in the event of data loss. This contingency plan MUST include details concerning the data backup and recovery process, who handles the backup media, the media rotation process, where the media is stored off-site, how quickly it can be retrieved in the event of a disaster, and all other aspects associated with data backups, protection, security, storage, and recovery.

Data loss can result in further losses of productivity, patients/customers, and revenue. In many cases significant data loss will result in lost business. Fortunately, the damaging impact of data loss can be negated with a qualified data protection solution as part of your contingency plan.

HIPAA Recommended Data Protection Options

Data Backup Tape Systems

Initial investment starts at about $2,000 for the drive and backup software. You should consider this a bi-annual expense since the drives will wear out with regular use and you should have a version and update maintenance subscription on the backup software.

A proper rotating tape backup methodology uses a minimum of 19 tapes per year – which averages another $800 per year in tape media costs.

Tapes have both a limited shelf life and a limited operational life. Due to tape costs and media rotation hassles, it is common to resort to taping over and over on the same tape, only to discover that the tape has worn out, rendering the backups unusable and restoring impossible. Tapes need to be retired and replaced periodically as they shed their magnetic recording material. And because standards change, the tapes you buy today may become incompatible with any tape drive you may buy to replace one that wears out.

Secure off-site storage is also required. Convenient storage and expedited retrieval is necessary for emergency situations.

Tape storage space is limited and not conducive to automated, unattended backups.

Removable Storage Drives

These devices require a high entry price for a reliable system. Off-site storage is required. Convenient storage and expedited retrieval is necessary for emergency situations. Storage capacity limitations make automated and unattended backups impractical.

External Disc Media (CDs, DVDs)
Due to their low price point and readily available drives, rewritable CDs (CD-RW) and DVDs have become a popular backup media for many people.

However, you should note that:

  • CDs have less storage capacity than tapes, making automated and unattended backups impractical.
  • DVDs have a larger storage capacity than CDs, but are still limited.
  • Off-site storage is required. Convenient storage and expedited retrieval is necessary for emergency situations.
  • Limited shelf life is a definite concern.

Since external backup storage media (Zip drives, CDs, DVDs, Tapes, Flash drives, external hard drives, etc.) can be easily stolen, support limited data sizes, often utilize no or minimal encryption security and must be transported to/from off-site storage facilities, they rarely represent adequate data protection solutions for HIPAA compliance.

Online Backup Services

Online backup (remote backup) services represent a fully-automated, secure, unlimited off-site storage facility for quality data backup operations.

  • Fully automated data backups at secure off-site facilities.
  • No hardware to buy or manage.
  • No media to buy, rotate, catalog or store offsite.
  • All data is encrypted for security.
  • Data can be easily restored on-demand 24×7 & expert assistance is available.
  • Service costs can be low compared to external media.

Virtual Density for HIPAA Compliance
HIPAA compliant information systems require a combination of administrative procedures, physical safeguards and technical measures to protect patient information during storage and transmission across communication networks. As a significant part of your overall contingency plan, Virtual Density provides secure, automated data transmission and storage services for data backup and recovery.

Virtual Density implements the following HIPAA compliant features:

  • Automated, unattended data backups with built-in notifications.
  • Ultimate data security via 448-bit encryption – data is ALWAYS compressed and encrypted during transmission and while data is at rest in offsite storage.
  • Data integrity controls with mutual authentication.
  • Restricted password access – a secret encryption key can be specified for ultimate security, even Virtual Density can’t get access your data.
  • Off-site storage at highly-secured data centers.
  • Data is mirrored to secondary secure facilities for ultimate data availability.
  • Extended storage is available (HIPAA requires storage for minimum 6 years).
  • On-demand, exact copy data retrieval – 24x7x365.
  • Optional monthly CD or DVD archives are available.

Additionally:

  • No cost or hassles with external devices, media, or offsite storage.
  • We are a Connecticut based company with very low subscription costs.

HIPAA privacy rules provide Virtual Density with “business associate” rights to limited use and disclosure of the information. Virtual Density never discloses data unless required by law. Virtual Density will never access any portion of the backup data unless authorized for customer support purposes. Virtual Density can be fully prevented from data access by use of the client-side secret encryption key.