The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its subsequent amendments were enacted into law to protect patient healthcare data, also known as Protected Health Information (PHI); HIPAA protections also apply to Electronic Health Records (EHR) – PHI stored on computers. Managed service providers who maintain HIPAA compliance must adhere to several stringent regulations which are designed to limit the exposure of confidential or sensitive patient information from unauthorized access.
There are two specific criteria that relate to data backups and data retention within HIPAA legislation. These are referred to as the Data Backup Plan and Retention Period. Each of these criteria contain several physical, technical and administrative safeguards which must be in place for an MSP to qualify as HIPAA compliant. These safeguards relate to what type of data is stored, how data is stored or transferred, and how long data is retained for.
Data Backup Plan
HIPAA’s data backup plan criteria are essentially the rules on how a compliant MSP will back up healthcare data. The data backup plan is part of a wider contingency plan or HIPAA compliant disaster recovery strategy which will protect the healthcare organization’s data and infrastructure in the event of a major system failure or disaster situation.
HIPAA regulations require the managed service provider to implement a full backup schedule of the entire healthcare infrastructure containing patient data as well as any systems which handle any type of electronic protected health information (ePHI). Examples of such ePHI are patient details, diagnostic images, medical records, accounting information or any other relevant healthcare documentation stored digitally.
The MSP or healthcare organization must back up data frequently (at least daily) and maintain weekly, monthly and annual archives. All data is stored in a secured data center location on physical media (normally disk or tape). The backup solution must be protected by encryption and offer the following safeguards:
- Data Redundancy – Data should be securely stored in at least 2 disparate locations, and it is often recommended to have at least 3 copies of current data – for example, a copy for Production, UAT and DR. This can be achieved by using automated site-to-site disk replication technologies such as a data domain or other disk-based solutions. A like-for-like encrypted copy of the production data will be copied from site A to site B.
- Data Encryption – Any data stored in a digital format and hosted on HIPAA complaint infrastructure must be encrypted with a 256bit AES encryption standard and a two-factor authentication mechanism. This ensures that only the healthcare organization has access to the electronic patient information, significantly reducing the risk of unauthorized access. Common devices for encryption include PKI secure cards and RSA tokens.
- Data Transfers – Any data that is transmitted over public networks, such as using a VPN over an internet connection or network traffic from a backup node to a public cloud provider, must be encrypted with 256bit AES and two-factor authentication. This method of encryption protects network traffic and makes it extremely difficult to intercept and decipher any useable information.
- Data Restoration – The Managed Service Provider must be capable of restoring backup data to its original or a new location. This process of continuous data protection (CDP) must be regularly tested, usually by completing performing adhoc test restoration, thus proving to auditors that the requirements of data integrity are met. A robust and reliable backup solution is essential to meet this requirement.
- Data Monitoring – Backup services must be monitored to report against backup failures or replication issues, and problems may require manual intervention to resolve, but the logging of incidents should be automated.
The protection of healthcare data must be the cornerstone of a HIPAA compliant service provider. Protected health information (PHI) must be stored and transmitted with the highest level of sensitivity and security. In addition to the requirements for a data backup plan, managed service providers (MSPs) must also adhere to the following safeguards in order to protect backup data:
- Data Center Security – Data centers must be resilient, secure compounds manned 24x7x365 by security personnel. The data center must also be protected by access control measures so that only authorized users can enter the data center. It is also recommended that all service provider employees submit to security screening prior to employment.
- Access Control – The service provider must enforce strict facility access controls and workstation security policies and actively manage device and media control systems (such as mobile phones and USB sticks).
- User Account Control – Local and remote access to server infrastructure must be protected by a stringent security policy applied to user accounts and groups. Policies should be created to ensure access is restricted and only available on a need-to-know basis. This affects both administrators and standard users.
- Infrastructure security – The storage arrays where patient information is kept or backed up, as well as the entire server infrastructure, must be protected with strict access control measures, including actively audited user account access to the protected infrastructure. Data storage should also be protected with complex security algorithms to safeguard the data integrity.
- Geofencing – Network level geofencing allows or denies access to infrastructure based on the requesting IP address range. This safeguard protects against unauthorized access to patient data based on the user location and can stop data going to any unauthorized external sources. Geolocation and tracking should be enabled to discover and report on any remote devices with access to ePHI (such as laptops) in case items are lost or stolen – most AV solutions provide this feature.
- Tamperproof logging – The MSP must be able to create audit trails for users and administrators. These logs should not be editable by admins. This allows for sophisticated monitoring to detect trends and patterns of data and system usage.
The second required criteria is HIPAA data retention period requirement, which refers to how long data must be kept in its digital format. Retention can be a difficult and often confusing subject, as there is no specific HIPAA rule for medical records retention. That is defined by US state law only. However, retention records for action, activity or assessment are required by HIPAA.
The HIPAA Journal sums up the retention requirements well, stating that “HIPAA compliance stipulates the documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. Therefore, if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation.”
The HIPAA Journal and Linford & Co both suggest that the following types of electronic documents are covered by the six year retention policy.
- Risk Assessments and Risk Analyses
- Disaster Recovery and Contingency Plans
- Business Associate Agreements
- Information Security and Privacy Policies
- Incident and Breach Notification Documentation
- Physical Security Maintenance Records
- Logs Recording Access to and Updating of PHI
- IT Security System Reviews (including new procedures or technologies implemented)
There is no definitive list, and we recommended that you work with your business associates to determine retention requirements.
Service providers must not only adhere to these retention rules, but also provide adequate plans on how data will be destroyed after the retention period has passed. Some IT service providers’ policies may keep data permanently, either in decommissioned storage LUNs or locked in a fire safe, but HIPAA demands compliance with how data is securely erased when the time comes, whether due to hardware error (such as a failed disk) or if the retention period passes. Typically, this would require the service provider to produce certified evidence that the data has been destroyed, which can be presented to auditors.
Ready to set up a HIPAA compliant data backup solution? Contact Atlantic.Net today for to learn how we can help!