Any company working with electronic medical records (EMR) and electronic protected healthcare information (ePHI) needs to consider the two core aspects of the Health Insurance Portability and Accountability Act (HIPAA) compliance: privacy and security. The HIPAA Privacy Rule, Security Rule, and Breach Notification Rule regulate compliance standards as they relate to Covered Entities (CEs) and Business Associates (BA). While this might make your head spin, asking a backup provider these 6 questions can help you determine if they’ll be able to provide HIPAA compliant hosting to protect your patients’ information.
1. Does your cloud service have end-to-end encryption?
HIPAA compliance requires “a reasonable and appropriate safeguard in [the] practice environment to safeguard the confidentiality, integrity, and availability of ePHI.” While this doesn’t necessarily mean data encryption, HIPAA does recommend end-to-end encryption as a technical safeguard against data security risks. End-to-end encryption means the data you backup cannot be read or compromised during transit to the cloud. This allows your patients’ private medical information to remain private. Nordic Backup provides end-to-end encryption so that all of your files are securely encrypted on your computer before they are uploaded over the internet, insuring privacy comes first for your cloud storage solutions.
2. Does your cloud service provide file history and recovery?
Risk management is a large part of staying HIPAA compliant. Of the five security components to risk management, technical vulnerabilities are easiest to address with a cloud storage system. One vulnerability could be that you don’t have measures in place to protect electronic patient data from improper changes. Luckily, this is mitigated through a file history and recovery program, like Nordic Backup provides. The previous file version retention allows for extended time between when a file is changed or deleted from your computer and when it is modified or removed from your backup. Some backup providers will give you a standard 30-day window of previous file versions to pull from. But in the event that you don’t realize a change or deletion has occurred until much later (which is often the case with viruses), it’s best to find a backup provider who offers a standard 60 to 90 day window. If it’s offered, an unlimited and adjustable retention program, like Nordic Backup’s, will provide even more flexibility and recoverability for when data is improperly changed–either by accident or malicious intent.
3. Does your cloud service prevent unauthorized users?
HIPAA has strict regulations as to who can access your patients’ ePHI and EMRs. To keep your patient’s information away from unauthorized viewers, HIPAA suggests putting your server in a locked room accessible only to authorized staff. With a cloud storage service like Nordic Backup, your data is stored in multiple data centers around the world on redundant servers with redundant storage systems. All of these data centers are equipped with multiple levels of access control, including alarms, armed guards, video surveillance, gated perimeter, and locked server cabinets. Even the data itself is protected with a private encryption key (secure user IDs and passwords with role-based access), so none of your backup data will be accessed by unauthorized users.
4. Does your cloud service support third-party audits?
Part of HIPAA enforcement activities is the Office for Civil Rights HIPAA Audit Program which analyzes processes, controls, and policies of selected CEs. As a technical safeguard, your cloud storage services should create audit logs to monitor users and other EHR activities. For example, each year the Nordic Backup data centers complete an SSAE 16 Type 2 audit, which is the strictest audit of its kind for service organization controls and certifies that year after year our facilities and procedures are top notch. The American Institute of Certified Public Accountants has developed this audit as the de facto third-party internal control reporting framework for all service organizations.
5. Does your cloud service sign a Business Associate Agreement?
HIPAA defines Business Associate as a person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of, or for, a CE. This means companies that support any medical practice through cloud computing/storage or secure physical storage facilities are most likely among your practice’s BAs. To be sure the partnership between CEs and BAs stays HIPAA compliant, a Business Associate Agreement should be drafted. In this document, confirm any planned additional capabilities that you need or that your backup provider is responsible for providing. In one simple email, Nordic Backup will create an agreement for you to assure you meet HIPAA compliance.
6. Does your cloud service retain patient information long-term?
HIPAA regulations suggest that practices backup data on at least one site away from the office as a part of your contingency plan if something goes wrong. HIPAA’s Guide to Privacy and Security of Electronic Health Information says to test your backup system to confirm you can retrieve your data backups when needed. Nordic Backup runs quietly in the background and sends you an email to let you know how it’s doing so you never worry. Plus, no matter what happens to your data, it’s simple for you to retrieve it in just a few clicks. State laws require you to store medical records for a specified number of years–you can find your state’s specific retention length here. Using a customized Nordic Backup solution, your data retention limits can be adjusted to keep your data for however long you need.
Finding HIPAA compliant hosting can seem like a daunting task with all the rules regulating the privacy and security of your patients’ information. Asking yourself these six simple questions before settling on a cloud backup service can save your practice time, money, and unnecessary headaches. With Nordic Backup, HIPAA compliance is standard with our Small Business and Server Pro plans, so you can feel safe knowing your patients’ information will never be breached or lost. To get started, find the backup plan that fits the needs of your practice.
