Considering the increase in extreme weather events over the past decade – and continued natural disaster increases projected for the future – what’s your data backup plan? The HIPAA Security Rule requires all Covered Entities (CEs) to draft a disaster recovery plan, by service definition, that includes what measures your agency will take in the event of a natural disaster. Are you prepared?
Federal law requires that CEs must implement protocols to safeguard – and ensure access – to electronic Protected Health Information (ePHI), including a contingency plan to secure continued availability to ePHI during emergencies or disasters.
However, ePHI isn’t accessible without use of a data processing application, such as Electronic Health Records (EHR) or Practice Management System software – which means that the data can only be recovered with those systems, and their utilization needs to be included in the contingency plan.
Most data recovery centers recapture ePHI by using either data backups or replication:
To be successful, disaster recovery depends on utilization of an alternate or secondary site. There are typically three options available:
For all three site types, servers, networking and software systems will need to be reconfigured onsite to support emergency operations.
In addition to the Data Backup Plan (securing ePHI backup and an alternate site arrangement), you must also implement a disaster recovery and emergency mode operations plan. The data backup plan creates systems to allow for the recovery of all ePHI. The disaster recovery plan establishes protocols needed to make sure ePHI can be restored in case of loss. The emergency mode operation plan provides a method for operations to continue to safeguard ePHI during an emergency.
While HIPAA disaster recovery requirements break these into two separate policies, many HIPAA compliance consultants cover both mandates with an integrated Disaster Recovery Plan (DRP). Any DRP should encompass the following:
It should also be demonstrated that any offsite repositories are far enough away from the practice location (and any other backup locations) to ensure safety in the event of a natural disaster impacting the primary site.
In addition to all of these requirements, don’t forget that changes to ePHI applications (such as EHR) can change the DRP! Regular modification and testing are necessary to ensure that you’re current and up to date. You should also periodically check for updates to DRP requirements, to ensure that you’re following the most current rules.
“Periodic plan tests and resultant corrections are vital to the continuing success of any disaster recovery. With natural disasters and security breaches occurring more frequently, the need for a practicable DRP is more essential than ever.”
See our HIPAA / 42 CFR Part 2 Resource Center for more complimentary tools.
Every EHR is different, and you should be sure to check with your vendor to get detailed specifics about how it might be able to help with organization’s disaster recovery plan. With PIMSY, your agency data is stored in the Microsoft Azure Cloud, automatically backed up, and encrypted at multiple locations. Microsoft Azure (a “hot site”) adheres to HIPAA protocols, adding another layer of compliance and security.
While every clinician is individually responsible for HIPAA compliance – and no EHR is technically HIPAA compliant – using PIMSY for your mental health software greatly increases compliance and data security, both for HIPAA and 42 CFR Part 2. While you still have to establish a DRP, the mechanics of it are taken care of simply by using PIMSY, and most of the steps listed above are fulfilled.
For details about PIMSY’s affordable, flexible, and comprehensive EHR solutions can help you meet compliance regulations, contact us: 877.334.8512, ext 1 – email@example.com
Leigh-Ann Renz is the Marketing & Business Development Director of PIMSY EHR. For more information about electronic solutions for your practice, check out Mental Health EHR.