How Are You Storing Your Sensitive Data? HIPAA & HITECH IT Requirements

15 Jul How Are You Storing Your Sensitive Data? HIPAA & HITECH IT Requirements

As we continue to move onward into the 21st century, more and more information is being stored and transmitted digitally. For healthcare providers and medical practices, these digital records—known as electronic protected health information (ePHI)—must be digitally protected and encrypted and physically secure.

When it comes to IT, all covered entities (CEs) and their business associates (BAs) must follow strict and sweeping guidelines set forth by HIPAA and HITECH. These acts, passed in 1996 and 2009 respectively, were designed to promote the confidentiality and portability of patient health records and set forth data security standards for healthcare providers.

The HIPAA Security Rule, published in 2003, specifies a number of administrative, technical and physical security procedures for CEs and BAs to ensure the confidentiality, integrity and availability of ePHI. The penalties for failing to meet HIPAA Security Rule guidelines are severe, resulting in fines of up to $1.5 million per year for each violation.

What the HIPAA Security Rule Means to CEs & BAs

It’s mandatory

There’s no way around it. All CEs and BAs must securely back up “retrievable exact copies of electronic protected health information” (CFR § 164.308(7)(ii) (A)).

You must frequently back up your data

Per CFR § 164.308(a)(1). A crashed server, corrupted data or erasure by an employee at the end of the day could wipe out a significant amount of data if you only back up your data once per day.

Your data must be recoverable

Such is the point of data backups. Per CFR § 164.308(7)(ii) (B), you must be able to fully “restore any loss of data.”

You must test your recovery

Per CFR § 164.308(7)(ii) (D), you must “implement procedures for periodic testing and revision of contingency plans.” The best backup solutions are useless if the recovery fails when you need it.

Your data must be securely kept off-site

Per CFR § 164.308(a)(1). If your backed-up data is kept on-site with the original data store, you will lose both copies in the event of a disaster.

Safeguards must continue in disaster recovery mode

Per CFR § 164.308(7)(ii) (C), all security requirements remain in place in the event of a disaster and emergency mode is implemented.

You must encrypt or destroy your data at rest

HITECH regulations state that all data at rest—that is, not being transmitted—must be encrypted or destroyed to be considered secure (Title XIII, § 13402(h)).

Written procedures must be in place

Having written policies and procedures (CFR § 164.308(b)(1)) and documentation (CFR § 164.308(b)(2)(i)) are a huge part of data security. All employees must know these policies and procedures and their roles in them.

How CompuCorp Can Help You

As a leader in the IT Managed Services industry, CompuCorp has helped many healthcare providers and medical practices with their data security and HIPAA compliance.

Our encrypted email service, secure cloud computing, and robust data hosting and backup services give you everything you need to keep your patients’ ePHI safe and secure. We also offer both remote and on-site support should trouble arise.

Contact us here or call us at 614-245-2224 to see how we can help you.