Introduction

In 1996, Congress passed the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA was designed to reduce the administrative costs of healthcare, to promote the confidentiality and portability of patient records, to develop standards for consistency in the health care industry, and to provide an incentive for electronic communications.

HIPAA applies to any health care providers, health plans and clearinghouses (collectively "Covered Entities") that electronically maintain or transmit health information pertaining to individuals. Covered Entities must have appropriate measures that address the physical, technical and administrative components of patient data privacy.

With the exception of small health plans, all Covered Entities must have data security standards in place by April 21, 2005, when the Standards for the Security of Electronic Protected Health Information (the “Security Rule”) of HIPAA went into effect for most health care providers. Small health plans were exempted until April 21, 2006. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data. Among other things, Covered Entities are required to have a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan. Fortunately, there is a simple and affordable way to meet many of these security and contingency requirements: JTM-EZ online backup service.

More about the HIPAA Security Rule

The Security Rule applies to electronic protected health information. This is protected health information either transmitted by electronic media or maintained in electronic media. Covered entities that maintain or transmit protected health information are required by the Security Rule (see 45 C.F.R. §164.306) to:

1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

4. Ensure compliance with this subpart by its workforce.

According to the HIPAA regulations, Covered Entities are allowed to use a flexible approach when implementing the above requirements. Specifically,

1. Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

2. In deciding which security measures to use, a covered entity must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity’s technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.

The Security Rule is further detailed through 18 technical standards and 36 implementation specifications. These standards and specifications are classified into four categories: administrative safeguards, physical safeguards, technical safeguards and organizational requirements.

HIPAA Security Rule and Electronic Data Backup

A number of the Security Rule’s standard and specifications apply to the backup and safekeeping of electronic data. Covered Entities must have a contingency plan and: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information (Administrative Safeguards - §164.308(a)(7)(i)). This contingency plan must be implemented as follows:

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

Covered Entities must also have certain physical safeguards, such as facility access controls. They must:

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed (Physical Safeguards - §164.310(a)(1)).

The contingency operations should establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency (§164.310(a)(2)(i)).

In addition, Covered Entities must implement certain technical safeguards (§164.312) to, among other things:

• Limit access to and electronic protected health information.
• Encrypt and decrypt electronic protected health information.
• Put into place audit controls that record and examine activity in information systems that contain or use electronic protected health information.
• Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

JTM-EZ Secure Online Backup can help your health organization meet HIPAA compliance requirements, specifically those of the Security Rule.