Cloud Backup Experts Discuss HIPAA Compliance

Jun 2012

Cloud Backup Experts Discuss HIPAA Compliance

Posted by Pavan Vyas

HIPAA logoI had the opportunity to attend a break out session titled “Becoming a HIPAA compliant Cloud Service Provider” at the recent Asigra Cloud Backup™ Partner Summit. Moderated by Marc Staimer, President of Dragon Slayer Consulting, the panel discussion included Rocco Corrage of eTegrity and Rodd Ahrenstorff of Dakota Backup.

The panel did a fantastic job of providing the audience with a summary of the legislation, ways to identify if HIPAA applies to a particular customer, ways and means to ensure HIPAA compliance, and the impacts of a data breach.

Protect Patient InformationThe discussion began with an introduction to the rule itself, the Health Insurance Portability and Accountability Act of 1996. Marc, Rodd and Rocco spoke about the key constituents parts of the legislation enacted to ensure the integrity, validity, and security of health information. The panel also spoke about other legislation that have modified or qualified the HIPAA Act including the American Recovery and Reinvestment Act (ARRA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Rodd and Rocco then educated the audience on how to identify customers who need to be HIPAA compliant, defining key concepts such as “covered entity” (health plans, health care clearinghouses, or healthcare providers) and “business associate” (an entity that helps the covered entity perform a function governed by HIPAA). They then went on to define other terms that are often heard in HIPAA related conversations such as “required” and “addressable” regulations, business associate agreement, the privacy and security rules, electronic health record (EHR), Electronic Data Interchange (EDI) and Protected Health Information (PHI). The key message to all in the room were that if there was even as much as a single electronic health record (EHR) stored on the online storage of the backup provider, then he was a business associate and needed to be HIPAA compliant.

Many in the audience understood for the very first time that they were business associates (as they had been providing back up services to covered entities) and therefore needed to be compliant with HIPAA to avoid penalties and indictment. The panel cautioned the audience that it was the responsibility of each service provider to ensure that they are well aware of the regulation and compliant to its requirements. Rodd had a word of warning for all the attendees. “Just because you did not read or understand the law, does not at all mean that you are off the hook”, he opined.

The conversation then turned specifically to backup and the requirements for a HIPAA compliant backup provider. The panelists spoke of three elements of security that the law defines:

  1. Technical – technology requirements for encryption, deletion, and destruction of data
  2. Physical – requirements related to securing physical infrastructure such as locks, secure access areas etc
  3. Administrative – requirements related to the on boarding and separation of employees, password policies, documentation etc

HIPAA compliantThe good news to all in the audience was that from a technical perspective, the Asigra solution helped satisfy all the requirements for HIPAA. This included the third party NIST FIPS 140-2 certification, encryption, the autonomic healing and validation restore capabilities that ensure that data is forever recoverable, the fact that all the data in the offline storage is in encrypted and compressed format, the hardware checks between the DS-Client and DS-System at the time of restores and the fact that the data can only be accessed by a person that holds the encryption keys used to encrypt the information.

Best practiceThe panel went on to discuss the ways that backup service providers can ensure that they are compliant with the physical and administrative requirements for HIPAA compliance. To a question from the audience on whether a SAS 70 / SSAE 16 certification was necessary, the panel opined that though this was not a necessary requirement, it helped to have the certification. Rocco clarified, “Remember what the rule says – take into account the size of your company and your technical requirements. There is no silver bullet. You have to do what is right for you”.

The attention then turned to backup and recovery best practices. Rodd warned the audience that the key was to be able to restore the information for six years beyond the last edit of any information. “This means that for most patients, data has to be kept to eternity”, he said. Rodd mentioned that there were three key elements to ensure HIPAA compliance from a backup standpoint:

  1. A data backup plan
  2. A disaster recovery plan
  3. Emergency mode operations plan

CautionIn a nut shell, these three plans ensure that the backup provider had the policies, procedures, and infrastructure in place to restore any information that is currently stored in its storage infrastructure. Rocco quoted the rule stating that the regulation requires the ability to “maintain an exact copy of the data”. The panel reminded the audience that restorability was a key ask and therefore recommended periodically testing the recovery of data. To a question on how often restores should be performed, the panel indicated that a period of around a year or thereabouts would be a good empirical rule to follow.

Finally, the discussion focused on what constitutes a breach under HIPAA and what the costs and impacts of a data breach are. The panel defined a breach as the “unauthorized disclosure of unsecured protected health information (PHI)”. The panel mentioned that the penalties for a breach can run into the hundreds of dollars. Marc provided the group with a quantification of the costs of remediation of a HIPAA incident – a cost of $21 per patient.  The panel also highlighted the fact that the costs of a data breach went far beyond the monetary impacts. This included the huge reputational risks of a HIPAA data breach as the service provider was listed on the “Wall of Shame” on the Health and Human Services Website.

As the discussion drew to a close, Rodd left the audience with the thought – “Make sure that you have all your ducks in a row as you go through providing your service. Remember that you are responsible for HIPAA compliance”.

Spice IT Email Post

Thanks for shiarng. Your post

Thanks for shiarng. Your post is a useful contribution.

For more information

Get insights about cloud backup and recovery direct to your inbox every month.
Subscribe to our Newsletter
Stay connected to the latest data protection insights – subscribe to our blog.
Subscribe to our blog
Got questions for one of our recovery specialists?
Need Answers to your Questions?
Print this page
Email this page