HIPAA (Health Insurance Portability and Accountability Act) compliance is often stated but rarely elaborated on by those companies seeking to assure potential customers that the services they offer meet with Federal regulations. As president Obama's administration moves to bring our health care system into the twenty-first century new scrutiny will be placed onto the health care industry. Those entities with a lukewarm implementation of HIPAA may find themselves open to all sorts of problems including class action litigation and malpractice suits based on their poor adoption of the security rule in HIPAA.

The creation of HIPAA in 1996 required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information.  The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.

The National Institute of Standards and Technology (NIST), publishes its “Recommended Security Controls for Federal Information Systems” and "Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 REV 1). These two documents form the backbone of what should be done to implement a security protocol that meets accepted “best practices” of the security standards for the industry

We want to give you a clear understanding of the regulations and parameters you should implement and  use to determine if a providers solution meets the full spirit of HIPAA.

We will focus on sections of the Administrative Safeguards and Physical Safeguards of the HIPAA security rule, which pertain to the data backup, and data storage services we offer. Specifically these sections are:

• Security Management Process section 164.308(a)(1)
• Contingency Plan section 164.308(a)(7)
• Device and Media Controls 164.310(d)(1)

HIPAA Risk Assessment Requirements

Standard 164.308(a)(1)(i), Security Management Process, requires covered entities to:

Implement policies and procedures to prevent, detect, contain, and correct security violations.

1. Scope the Assessment. The first step in assessing risk is to define the scope of the effort, resulting in a general characterization of the information system, its operating environment, and its boundary. To do this, it is necessary to identify where EPHI "Electronic Protected Health Inofrmation" is created, received, maintained, processed, or transmitted.
   
   The scope of a risk assessment should include both the physical boundaries of a covered entity’s location as well as a logical boundary covering the media containing EPHI, regardless of its location. Ensure that the risk assessment scope takes into consideration the remote work force and telecommuters, and removable media and portable computing devices (e.g., laptops, removable media, and backup media)

We find risk assessment to be one of the items least likely to be addressed or properly implemented by health care providers. Lets face it your Doctors, Nurses and technicians are not necessarily computer geeks. While risk assessment covers many points, we will confine ourselves to looking at this area in respect to the use of backup media.

Most health care providers feel that when deciding on a backup plan they only need to choose an out of house solution where the data is encrypted, and that is the end of the story. The truth is far more egregious. You need to ensure that the media on which the data is going to be backed up to meets certain safety considerations. Most companies that claim they are HIPAA compliant use tape as their backup media. There are two main concerns with the use of tape as a backup media.  The first is that tape can easily break thus causing the stored information to become irretrievable. The second concern is that tape is more readily misappropriated. In the HIPAA Security Guidance removable area “devices and tools" it states there is a growing concern with tape as backups because of their vulnerability, which also includes the following examples: …USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media”.

Some risk assessment questions you should ask if your solution provider uses tape are:

Q. Does an audit trail exist for the movement of the tape within the facility?

At Giga Vault Storage all of your data is encrypted and stored on high-speed, high capacity disk, NOT TAPE.  With tape backup someone can just remove the tape from the server and exit the building without the proper security measures in place.  Our data centers are all secured and have a detailed audit trail which exists for all use on our servers, as well as the maintenance access.

Q. In case there is a need to restore lost data is the tape available on demand or is it archived.

At Giga Vault Storage you data is always immediately available to you through our software interface. Unlike tape backup systems which often archive tapes of previous backup.  With us your backups reside on redundant hard disk drives which can be accessed within seconds allowing you to quickly download the file you need to restore.

Contingency Plan (164.308(a)(7)45)

HIPAA Standard: Establish policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
The areas of the Contingency Plan Section which deal specifically with data backup are HIPAA requires all “covered entities” to implement are:

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

HIPAA specifically states that “data backup” and “disaster recovery” plans are required in order for a covered entity to meet with the HIPAA compliance. For details on meeting with this compliance the HIPAA security rule refers to NIST SP 800-53 Security Controls Mapping CP-6 and CP-9 found in The National Institute of Standards and Technology (NIST), publication “Recommended Security Controls for Federal Information Systems”. Specifically it says:

“The organization identifies an alternate storage site that is geographically separated from the primary storage site so you will not to be susceptible to the same hazards”.

The organization employs appropriate mechanisms (e.g., digital signatures, and cryptographic hashes) to protect the integrity of information system backups.

To be HIPAA compliant with your backups and have a viable disaster recovery policy, an alternate location must be used for storing the backup data. The days of doing your own tape backups in house and storing them in a fireproof cabinet are over. One must also ensure that the data is protected from unwarranted disclosure or viewing by unauthorized parties by encrypting the data.

The general guidelines a covered entity must follow to be compliant with the  HIPAA Security Rule are as follows:

1. Ensure the confidentiality, integrity and availability of all electronically protected health information the covered entity creates, receives, maintains or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
4. Ensure compliance by the workforce.

Giga Vault Storage remote backup and off-site data storage will help meet your compliancy with the HIPAA security rule by doing to following.

1. Encryption of data during backup: All data being backed up is encrypted with 448-bit Blowfish encryption prior to transfer and can be sent through a secure 128-bit SSL tunnel to the Giga Vault Storage data centers.  All Data on our servers remains encrypted and can not be viewed or decrypted by any of our personnel.
2. Physical security: Giga Vault Storage servers are located in World Class Data Centers protected by gated perimeter access, 24 x 7 x365 on-site staffed security and technicians, electronic card key access, and strategically placed security cameras inside and outside of the building.
3. Remote/off-site backup: Giga Vault Storage uses an automated software package to perform off-site backup and is a key component in any disaster recovery plan as protection against hardware failure, deletion, natural disaster, and malicious acts such as theft or virus attack.
4. On Demand Access: Backed up data may be accessed via the password protected, web-based  administrative interface by supplying a valid encryption key.
5. Contingency Plan: We can also assist you in developing a contingency plan covering both disaster recovery and data backup protocols. The HIPAA Security rule requires that covered entities have a written contingency plan for responding to system emergencies, including a detailed plan concerning the data backup and recovery process in the event of a disaster.

Note: There is no standard "HIPAA certificate of compliance" for backup software and services. For more information about HIPAA and HIPAA compliance, contact your legal counsel or refer to the HIPAA section of the U.S. Department of Health and Human Services' website: http://www.hhs.gov/ocr/hipaa/