We have built on Azure a secure and industry compliant solution. HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Patient privacy continues to be a topic of concern as technology continues to evolve. Now that the majority of patient information is transferred over to digital format, the healthcare IT industry realizes that it is exposed to certain risks. These risks include disaster that may cause physical damage to servers and/or computers that store patient information. Prior to the institution of the Health Insurance Portability and Accountability Act (“HIPAA”) by Congress in 1996, there were no universal standards set in place to identify whether a healthcare provider was properly securing patient information. HIPAA was designed to promote the confidentiality and portability of patient records, as well as to develop data security standards for consistency in the healthcare industry. Under this act, organizations adhere to HIPAA compliance standards related to protecting their systems and patients can feel confident that their personal medical information will remain private.
The HIPAA Security Final Rule, the last of the three HIPAA rules, was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most Covered Entities (CEs) had two full years – until April 21, 2005 – to comply with these standards. Many CEs, including providers, are still not in compliance. As a result, the 2009 HITECH Act has increased penalties for non-compliance with the HIPAA rule. And, the recent HIPAA Omnibus Final Rule has expanded the notification requirements and penalties that providers are liable for related to PHI (Personal Health Information) breaches and expanded HIPAA coverage so that it also applies to Business Associates (BAs) as well.
What is the Security Rule intended to protect
The Security Rule applies to protected patient health information in electronic formats. This is patient information that is transmitted by electronic media or maintained on electronic media. HIPAA compliance data storage rules are meant to:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the “Covered Entity” creates, receives, maintains, or transmits
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part
- Ensure HIPAA compliance with this subpart by its workforce
Here’s what the HIPAA Security Final Rule means to you as a CE:
- It’s not optional: All CEs, including medical practices, must securely back up “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)).
- Your data must be recoverable: Why else are you backing it up? You must be able to fully “restore any loss of data” (CFR 164.308(7)(ii) (B)).
- You must get your data offsite: As required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup and disaster recovery plan that stored backup copies of ePHI in the same location as the original data store?
- You must back up your data frequently: As required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). In today’s real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event if one had to recover from yesterday’s data backup.
- Safeguards must continue in recovery mode: The same set of security requirements that applies under normal business operations must also apply during emergency mode. CEs and BAs cannot let their guard down (CFR 164.308(7)(ii) (C)).
- Encrypt or Destroy: HITECH says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act). HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)). Many CEs and BAs fail in this area because tape- or disk-based backups are moved around freely, unencrypted.
- You must have written procedures related to your data backup and recovery plan: Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule.
- You must test your recovery: Backup is useless if your recovery fails, therefore the law requires that you “Implement procedures for periodic testing and revision of contingency plans.” (CFR 164.308(7)(ii) (D)). Unfortunately, testing tape-based or disk-based recovery can be time-consuming, so most companies rarely do it.
- Non-compliance penalties are severe: Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.