Website design
by
Accudata Systems

HIPAA Compliant Solutions for Data Backup


The need to become HIPAA compliant is driving physicians to examine every process and system in their offices. Backing up data has become a high priority as a result of the HIPAA security requirements not only for backing up and protecting data, but being able to document the entire process.

There are a number of methods for backing up data, each with its advantages and disadvantages. As in all technology, more secure and automated processes continue to evolve.
Years ago, backing up to floppy disks was a widely acceptable practice. But doctors soon learned that the disks cannot hold enough memory for unattended backups. Each backup could require hundreds of disks and storage is unreliable.

  • Today, the most widely-used method for backing up data is the traditional tape backup. Tapes provide a relatively high storage capacity and eliminate the need to sit and watch the backup and change storage acceptance devices. However, the higher quality comes at a higher price. Getting started requires an average initial investment of around $2,000 to purchase the drive and the backup software. Then, a rotating backup routine recommends using 19 tapes per year at an average cost of $40 a tape. Often, a practice will just tape over and over on the same tape only to discover that it has worn out and the last recognizable backup may be a year old. Tape backups also require an off-site storage solution -- where to keep the tapes in the event of a data loss, system crash or even greater disaster? A practice must address how quickly those tapes can be retrieved and the data restored in such an emergency.
  • Some practices have tried removable storage drives -- though this is not very common. While a large floppy-disk drive or removable hard-disk equivalent drive are better than nothing, they are not highly recommended because of high pricing, cumbersome off-site storage issues and storage capacity limitations that make unattended backups impractical.
  • One method of backup that has become more popular is a CD backup. CD formats include recordable (CD-R) and rewriteable (CD-RW). Recordable CDs, once recorded, cannot be written over and can be read from any CD-ROM drive. Rewriteable CDs can be rewritten, but can only be read by the newer CD-ROM drives. This method of backing up is fairly inexpensive as the price of CDs continues to drop. But CDs don't hold as much storage capacity as a tape backup method. DVDs, an upgrade to CDs, hold up to 18 gigs of data. But with CD or DVD, the issues of off-site storage and limited shelf-life remain.
  • Another method of system wide backup is drive imaging. Using this concept with commercially available software, entire hard drive partitions are mirrored to another physical hard drive either in the same PC housing or to another hard drive on the network system. This type of backup procedure is extremely essential in disaster recovery if there should be a hard drive crash or an insidious virus/warm attack on the PC. This form of backup is generally not used on a daily basis but does become the critical first step in data recovery in the event of a system wide crash. Dynamic data such as critical patient accounting and EMR records are generally backed up using another format and medium and therefore would be the secondary step in a recovery process. It is not enough to have only dynamic data backed up as this will not restore your entire operating system and other software applications that could be critical to your practice.i.e. word processing, desktop publishing, graphics and imaging applications, etc.
  • A new solution to providing both high quality security and off-site storage has evolved with the growing access to communications bandwidth -- online data backup. The online backup service is completely automated. The software is installed on the PC or server and compresses and encrypts the data prior to transferring it to a Data Center via a direct port. The backup occurs at night, the data is safely stored off-site in its encrypted format and it can be restored at the push of a button in the event of a disaster. The backup software has a selection feature that allows the customer to decide which files to be backed up, enabling cost-effective selection of data files only. And the backup success is monitored by data center experts. Typically, there are no upfront costs for the software and many services offer a free 30-day trial. Monthly pricing is based on the amount of compressed data stored on the provider's servers and is typically less expensive than the cost of tapes. For example, a typical two-physician practice using practice management software on a Windows-based operating system might have 50 - 200 megs of compressed data. In such a case, the monthly online backup cost would range from $20 to $40.

    Note: one of the most critical elements in implementing and testing a data disaster recovery program is going through the process of data restoration on a trial basis. All too often, we encounter commercial organizations including medical practices who claimed to have backup procedures in place. However these organizations have never tested data restoration to authenticate and validate the most important step of data recovery. Oftentimes tapes (or other media) are out of sequence or improperly labeled. Or, disaster recovery startup diskettes for Windows 2000, Windows NT have not been properly maintained and will not initiate the recovery process.
  • With HIPAA compliance deadlines looming, physicians must evaluate their backup process and make plans to write a contingency plan. This plan should include information about how thebackup process is done, who handles the tapes or CDs, where they are stored off-site, how quickly they can be retrieved in the event of a disaster, the rotation process -- everything related to backing up the data, protecting it, storing it and recovering it. There are backup services that have geared their company structure to meet the stringent requirements of HIPAA and will even provide a written contingency plan free as part of their backup process. Practices that haven't just purchased tape drives or expensive equipment would do well to consider looking into online backup solutions.

 

Accudata Systems can assist you in the evaluation as well as implementation process of data disaster recovery.