In developed countries around the globe, healthcare is well on its way to going completely digital. Personal electronic health records that provide a holistic, always-accessible view of a patient’s medical history are becoming the norm. As the quantity of this very sensitive data has grown exponentially over the last decade, the market for the IT systems that capture, store, and retrieve electronic medical records has grown to $25 billion and is expected to increase by 13.4% a year in the foreseeable future.
Why HIPAA was Enacted—and Why You Must ComplyThe Health Insurance Portability and Accountability Act, or HIPAA, became a law in 1996. As its name suggests, its main objective is to streamline and improve healthcare by making a patient’s medical records accessible across the entire range of healthcare providers (portability), while ensuring that the information is kept private and secure during transmission and in storage (accountability). The enactors of HIPAA understood that, if electronic medical records are to become the norm, it is absolutely critical that they be stored securely and retrievable at all times. Thus, the HIPAA Security Rule set standards to be met by all healthcare providers and organizations (“covered entities”). A covered entity is required to appoint a Security Manager who is responsible for the development and implementation of data backup, disaster recovery (DR), and Emergency Mode Operation plans. These plans, together, put into place the administrative, physical, and technical processes and procedures that will ensure health data can be recovered and healthcare services provided in the case of an IT disaster. Compliance with the HIPAA Security Rule has been compulsory since April 2005 and, since July 2009, has been enforced by the Office of Civil Rights (OCR) of the Department of Health & Human Services. The OCR investigates complaints and conducts reviews. In 2016, non-compliant covered entities paid fines of $23.5 million, ranging from $25,000 to over $5 million.
The 4 Essential Components of a HIPAA-compliant DR PlanPutting aside for the moment the threat of noncompliance sanctions as a prime motivator for HIPAA compliance, an equally important reason to comply with HIPAA’s Security Rule is that it is good business practice. No organization, large or small, is immune to man-made or natural disasters that can endanger its mission-critical data and IT processes. The cost in terms of lost revenues, lost productivity, and damage to reputation can be considerable. According to Ray Lucchesi, a veteran data management consultant, a HIPAA-compliant DR plan should include at least the following four essential components:
- Disaster declaration: Clearly specify who makes the decision that a given event or situation will trigger the organization’s disaster recovery measures, and by which criteria.
- Disaster list: A DR plan cannot take into account every type of possibly disastrous event. It is important to focus the plan on the high-impact events that are most likely to occur to your particular organization.
- Health data retrieval: HIPAA’s Security Rule mandates a separate Data Backup plan that clearly describes the frequency, type, and locations of health data backups and/or system replication. The DR plan should reference the Data Backup plan, and clearly specify how the backed up electronic medical records are going to be retrieved — and in what priority — in the event of a disaster. See the section below on how public cloud-based automated backup and DR solutions are being leveraged to ensure HIPAA compliance.
- Alternate site: The DR plan must take into account both retrieving lost electronic medical records, as well as the activation of an alternate site for the entire health IT operation until the disaster is resolved. The DR plan must clearly outline those site activation procedures, including who is responsible for what. If the organization’s health data and IT operations are on-premises, the alternate site must be capable of securely deploying sufficient servers, switches, and storage hardware. If the organization’s health IT system takes place fully or partially in the public cloud, resuming operations from an alternate site becomes much simpler.