Hippa Compliance

HIPAA Overview

The HIPAA ruling was broken into five parts:

  1. Health Insurance Portability - helps workers maintain insurance coverage when they change jobs
  2. Administrative Simplification - standardizes electronic health care-related transactions, and the privacy and security of health information
  3. Medical Savings Accounts & Health Insurance Tax Deductions
  4. Enforcement of Group Health Plan provisions
  5. Revenue Offset Provisions

Four out of the five parts of HIPAA have nothing to do with Online Backups.  The one part that does apply is Part 2 - Administrative Simplification.

 

Administrative Simplification

HIPAA Administrative Simplification consists of two areas. The first is referred to as the Transactions and Code Sets Rule>  It also covers standardization of identifiers.  This Rule requires standardization in all health-related electronic transactions, such as electronic transmission of insurance claims, verification of insurance, statements, explanations of benefits, remittance advice, etc.  Online Backup is not a health-related transaction, and is therefore not covered under the Transactions and Code Sets Rule, so there are no compliance issues here.

The second area of Administrative Simplification is made up of two Rules, the Privacy Rule and the Security Rule.  These two rules are the most confusing areas; so we will examine them in more detail.

 

Privacy and Security

The rules are intended to safeguard any health-related information that can be traced to and used to identify an individual.  A few examples of this type of information include:

  • Name
  • Address
  • Date of Birth
  • Social Security Number
  • Any other identifier

This type of information is referred to as Protected Health Information.

The Privacy Rule and Security Rule are intended to protect Protected Health Information in different ways.  The Privacy Rule sets out limits on who can have access to Protected Health Information and for what purpose. The Security Rule regulates the Procedural, Physical and Technical means that are used to protect Protected Health Information.

 

Privacy

The Privacy Rule places limits on the ways that Protected Health Information can be used and disclosed, and requires accounting of disclosures. You can  review how Backup Creations works.

With Backup Creations backup service, all information to be backed up offsite is encrypted using 256 bit AES encryption on the local computer before being transmitted, using a key that is stored locally and created by the user only.  Data is stored on the Backup Creations servers in its encrypted form.  Data can only be recovered by transmitting it back to the local client pc using the software, which decrypts it, again using the locally-stored key created by the user.  In the event of a disaster affecting the local computer, the same key must entered in by hand into the Backup Creations SuperFlexible Software after installation.

The most important feature of this arrangement is that while the data is stored on the Backup Creations servers, it is encrypted and not in a readable format. The Backup Creations Servers do not have access to the key, and without the key, the data cannot be converted to a readable format.  None of the Backup Creations employees have access to the key either.

 

Security

The Security Rule is the one part of HIPAA that clearly applies to Online Backup Services. The Final Security Rule was published in February 2003, and became effective on April 21, 2003. Compliance with this Rule was required by April 21, 2005.

The Security Rule legislates the means that should be used to protect Protected Health Information.  It requires that covered entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to Protected Health Information.

Examples of appropriate safeguards include:

  • Establishment of clear Access Control policies, procedures, and technology to restrict who has authorized access to Protected Health Information.
  • Establishment of restricted and locked areas where Protected Health Information is stored.
  • Establishment of appropriate Data Backup, Disaster Recovery, and Emergency Mode Operation planning.
  • Establishment of technical security mechanisms such as encryption to protect data that is transmitted via a network.

 

Backup Creations is compliant with the Final Security Rule.

The Backup Creations SuperFlexible software contains all appropriate technical security mechanisms to protect the data that is transmitted to and from the Backup Creations servers.

In addition, the Backup Creations servers are physically secured in protected buildings with limited locked access.  We provide multiple redundant Internet connections to help limit the possibility of backup failure.  All servers also have redundant backup power including power generators.

Backup Creations can form a critical part of your Data Backup, Disaster Recovery, and Emergency Mode Operations strategies by providing offsite backups that can be geographically distant from the client site to minimize the possibility of data loss in a large-scale disaster.

Backup Creations can be an important part of your compliance strategy as part of a comprehensive security plan.

For more information on HIPAA please visit http://www.hipaa.org or http://www.hhs.gov/ocr/hipaa/

 

Disclaimer

 Please note, although all information presented on this page is believed to be factually true, this page is not intended to give or replace legal advice.  Please consult with legal counsel if you have questions about your specific situation.