In developed countries around the globe, healthcare is well on its way to going completely digital. Personal electronic health records that provide a holistic, always-accessible view of a patient’s medical history are becoming the norm. As the quantity of this very sensitive data has grown exponentially over the last decade, the market for the IT systems that capture, store, and retrieve electronic medical records has grown to $25 billion and is expected to increase by 13.4% a year in the foreseeable future.
Why HIPAA was Enacted—and Why You Must Comply
The Health Insurance Portability and Accountability Act, or HIPAA, became a law in 1996. As its name suggests, its main objective is to streamline and improve healthcare by making a patient’s medical records accessible across the entire range of healthcare providers (portability), while ensuring that the information is kept private and secure during transmission and in storage (accountability).
The enactors of HIPAA understood that, if electronic medical records are to become the norm, it is absolutely critical that they be stored securely and retrievable at all times. Thus, the HIPAA Security Rule set standards to be met by all healthcare providers and organizations (“covered entities”). A covered entity is required to appoint a Security Manager who is responsible for the development and implementation of data backup, disaster recovery (DR), and Emergency Mode Operation plans. These plans, together, put into place the administrative, physical, and technical processes and procedures that will ensure health data can be recovered and healthcare services provided in the case of an IT disaster.
Compliance with the HIPAA Security Rule has been compulsory since April 2005 and, since July 2009, has been enforced by the Office of Civil Rights (OCR) of the Department of Health & Human Services. The OCR investigates complaints and conducts reviews. In 2016, non-compliant covered entities paid fines of $23.5 million, ranging from $25,000 to over $5 million.
The 4 Essential Components of a HIPAA-compliant DR Plan
Putting aside for the moment the threat of noncompliance sanctions as a prime motivator for HIPAA compliance, an equally important reason to comply with HIPAA’s Security Rule is that it is good business practice. No organization, large or small, is immune to man-made or natural disasters that can endanger its mission-critical data and IT processes. The cost in terms of lost revenues, lost productivity, and damage to reputation can be considerable.
According to Ray Lucchesi, a veteran data management consultant, a HIPAA-compliant DR plan should include at least the following four essential components:
- Disaster declaration: Clearly specify who makes the decision that a given event or situation will trigger the organization’s disaster recovery measures, and by which criteria.
- Disaster list: A DR plan cannot take into account every type of possibly disastrous event. It is important to focus the plan on the high-impact events that are most likely to occur to your particular organization.
- Health data retrieval: HIPAA’s Security Rule mandates a separate Data Backup plan that clearly describes the frequency, type, and locations of health data backups and/or system replication. The DR plan should reference the Data Backup plan, and clearly specify how the backed up electronic medical records are going to be retrieved — and in what priority — in the event of a disaster. See the section below on how public cloud-based automated backup and DR solutions are being leveraged to ensure HIPAA compliance.
- Alternate site: The DR plan must take into account both retrieving lost electronic medical records, as well as the activation of an alternate site for the entire health IT operation until the disaster is resolved. The DR plan must clearly outline those site activation procedures, including who is responsible for what. If the organization’s health data and IT operations are on-premises, the alternate site must be capable of securely deploying sufficient servers, switches, and storage hardware. If the organization’s health IT system takes place fully or partially in the public cloud, resuming operations from an alternate site becomes much simpler.
Leverage the Cloud
Public cloud services are being increasingly embraced by even the most highly regulated industries such as finance and insurance. It is not surprising, therefore, that more and more health organizations are leveraging public cloud data storage for their electronic medical records.
In 2013, the HIPAA Omnibus Rule expanded and updated the original law. Among other provisions, it extended HIPAA security and privacy compliance responsibilities to the business associates of covered entities. As business associates, public cloud service providers partner with health organizations to ensure that their electronic medical records stored in the public cloud will comply with HIPAA requirements. For example, in April 2017, Amazon Web Services published the white paper Architecting for HIPAA Security and Compliance, with clear guidelines to covered entities as to how they can use Amazon S3 features to meet HIPAA requirements for encryption, backup, and disaster recovery.
In addition to the native solutions provided by the public cloud vendors themselves, there are excellent third-party solutions that streamline and automate the backup and recovery of data stored in the cloud—including full disaster recovery in a few mouse clicks. Cloud Protection Manager has been successfully backing an array of healthcare providers’ environments, all of whom cite that the user-friendly solution has not only helped them become HIPAA compliant but has saved them an enormous amount of time and resources that need to be dedicated to backup and disaster recovery.
Healthcare systems around the globe have embraced electronic medical records as a meaningful way to reduce costs while improving the quality of care. It is just as common today to see doctors or nurses with a tablet peeking out of their pocket as it is to see them with a stethoscope slung around their necks.
An EMC report estimated that as of 2013,153 Exabytes of healthcare data had already accumulated, with that figure expected to grow to 2,314 Exabytes by 2020. With 1 Exabyte representing 3000 times the entire contents of the Library of Congress, that’s a lot of data that must be backed up securely and recoverable, even in the case of an IT disaster. Private and public clouds will undoubtedly continue to play an ever-growing role as the healthcare industry seeks to comply with regulatory requirements such as HIPAA.