It was only mid-May, months away from the official start of fire season here in San Diego, but it was clear we’d have to evacuate soon. Wind-whipped flames ripped through the brittle brush on the hillside less than a quarter mile from our backyard, and my wife and I scrambled to carry to the car things we wanted to save. Photo albums. One-of-a-kind mementos. Important documents. And our computers.
We were lucky we were at home when the police came through the neighborhood telling everyone, “Leave now!” Lucky, too, that the fire stopped short of the back wall that wraps around our subdivision. Had we not been home and had the blaze continued, chances are we would have lost everything, including all the data on our personal computers.
In the months since, I’ve thought about that a lot. I’m thinking about it again as I get ready to share some thoughts on steps you can—and must—take in order for your healthcare practice to be able to survive a disaster involving the loss of Protected Health Information (PHI).
Lost-data disasters and HIPAA compliance
There are all sorts of ways a practice can suffer a loss of data: human error, hard-drive failure, a computer virus, or equipment damage due to fires, floods, earthquakes, hurricanes, or tornadoes. If any of those things were to happen, ask yourself this: Would you and your staff be able to retrieve your patients’ Protected Health Information (PHI)? If your computers died, would your practice be able to survive? Would you be able to schedule appointments, submit insurance claims, access test results?
What you need to know about data backup
Data backup is absolutely essential to the life of your practice. Here’s what the HIPAA Security Rule says about it:
- Data backup is not optional. The HIPAA Security Rule says that you must securely backup “retrievable exact copies of electronic health information.”
- You must be able to restore any loss of data. After all, if you can’t recover your data and your patients’ Protected Health Information, what’s the point of backing it up?
- Your backed-up data must be stored offsite. It doesn’t make sense to keep back-up copies in the same place you have your ePHI. An E5 tornado or roaring brush fire could wipe out everything all at once— copies as well as original data.
- You must back up your data frequently. A pre-determined schedule works best and ensures that this component of HIPAA compliance is not left to “whenever.”
- You must have written procedures related to your data backup and recovery plan. Documentation of these policies plays an important role in HIPAA compliance.
- You must test your recovery. There’s no room for guesswork here. The HIPAA Security Rule requires that you “implement procedures for periodic testing and revision of contingency plans.”
Best method for data backup?
Choices will be guided by cost, convenience, ease of use, and the amount of data to be backed up. Storing data to tapes, disks, or external hard drives and then keeping those items in a secure place away from your office is one possibility.  The danger there is that if that media is lost or stolen—at rest or in transit, and if the data on it hasn’t been encrypted, it’s a serious violation of the HIPAA Security Rule, a cause for large fines, and threat to your practice’s solvency and reputation.
Another possibility for backing up ePHI is to use a data-backup service. The advantages to this include off-site storage, plus automatic backup and encryption, not to mention fewer hassles and headaches.
When dealing with the prospect of disaster, plan for the worst. Hope for the best. And always—always—back up your data and your patients’ Protected Health Information.