Electronic storage options are taking increasing precedence over paper records in business environments — and medical offices are no exception. With the switch over to electronic patient health records (ePHI), medical practitioners must consider how they’ll keep HIPAA-protected, digital patient records safe. Among the options that come to mind, cloud storage is a popular consideration.
When it comes to HIPAA cloud storage options, there are many misconceptions, and many dos and don’ts. To avoid the worst-case-scenario of your practice’s protected health information being deleted or lost, it’s important to have a comprehensive digital storage plan for all HIPAA protected information. Keep these HIPAA cloud storage dos and don’ts in mind as you formulate your plan:
DO:
Know your state’s retention lengths — first and foremost, before you begin any storage plan, it’s important to learn your state’s mandated PHI retention lengths. Every state is different. Depending on your state’s regulations, you may even have to keep patient medical records for the lifetime of a patient. Your mandated retention lengths will help dictate which type of cloud solution you need. Hint: If you can’t afford to have a record become lost or deleted for the entirety of a patient’s lifetime, you’ll absolutely need to invest in unlimited, scalable storage and round the clock backups.
Consider other “cloud” options — cloud storage has it’s limitations. It’s common for businesses who think they need “cloud storage” to actually be in need of cloud backup. Get to know the differences and similarities between the two before you choose which one you’ll use to retain your PHI.
Limit sharing/have sharing restrictions — HIPAA regulations are strict about who can access and view ePHI. Because of this, certain cloud options have come under scrutiny for the not-so-stringent visibility that they offer. Traditionally, cloud storage has been used to give teams access to view and modify documents. However, when careful consideration is not given to each users’ permissions and access, these sharing settings can be dangerous to the integrity of ePHI. For example, if too many changes (or an accidental change) are made to a record, the original document and its accuracy can be jeopardized. Likewise, it’s easy to grant access to users who should not be granted access, which may violate HIPAA standards.
Have a continuously running program — cloud storage plans may allow for a secondary storage location for your data, but they may not always keep your ePHI safe from loss and deletion. It’s still possible that an employee will accidentally change or delete a file; or that they will forget to add an important document into cloud storage, therefore leaving it vulnerable to deletion. These scenarios make continuous, automatic cloud backup software a must-have. You want your storage solutions to be “continuous,” — that is, always updating and always backing up newly created and changed files. If you have a shared file among your core group and one or more of you make changes to the file, you need a continuous cloud solution which will keep a record of those changes and make sure that everything remains saved (and can therefore be un-done). Additionally, continuous, automatic cloud backup programs eliminate the human error portion of cloud storage — such as forgetting to manually store or backup a file or system.
Use a universal solution — From smaller servers to larger databases, you need a cloud solution that will work for you and your changing needs. Make sure that your storage partner has at least these abilities when you are shopping around for your cloud storage and backup solution.
Ask for a BAA — a BAA, or Business Associate Agreement, is a document signed by your provider stating that they will apply all measures necessary to adhere to your standards and HIPAA standards. This document shows that your practice has done its due diligence in ensuring that you’re working with partners who do whatever it takes to help you remain HIPAA compliant and won’t mishandle the data you entrust to them.
DON’T:
Forget encryption — You need to make sure that your information is protected, even en-route to the cloud. If you don’t see the words “end-to-end” in the cloud plan you’re considering, then it doesn’t have the level of sophistication that you need. The security of your practice’s ePHI should be paramount.
Settle on security — Although you may access it from the internet, cloud providers keep your data stored in data centers — meaning your data is only as secure as their data center is secure. When shopping around for cloud storage or backup providers, it’s important to judge their security based off of how secure their data centers are. Do they have redundant power supplies? Armed guards? Biometric access control? If the partner you are engaged with isn’t ready to offer you this military grade level of protection then you should be looking elsewhere.
Devalue customer service — if you ever find yourself in a situation where you can’t locate a document, have lost all of the data on a device, or any other data loss scenario, your cloud partner will be the one capable of helping you restore your data. When you are buying these security solutions, with whom are you speaking? Are you handed off to a call center where you are just another impersonal number? If your cloud partner isn’t working from it’s own in-house data center and assisting their customers by relying on actual employees, then you may not get the level of service you need.
One of the best names in HIPAA cloud backup solutions is Nordic Backup. Offering automatic, continuous cloud backup with military grade security and end-to-end encryption, they have a track record of keeping ePHI safe for medical practitioners. Whether you need to keep your ePHI safe and within reach for the lifetime of the patient, or you simply need a to store data in a secondary storage location for safekeeping, Nordic Backup has a solution for you.
