Remote Backup and HIPAA Compliance
Remote Backup and Restore can help healthcare organizations, including medical billing and third-party associates, comply with HIPAA
HIPAA Overview
HIPAA consists of five parts:
- Title1 - Health Insurance Portability - helps workers maintain insurance coverage when they change jobs
- Title 2 - Administrative Simplification - standardizes electronic health care-related transactions, and the privacy and security of health information
- Title 3 - Medical Savings Accounts & Health Insurance Tax Deductions
- Title 4 - Enforcement of Group Health Plan provisions
- Title 5 - Revenue Offset ProvisionsFortunately, four of the five parts of HIPAA have no bearing on Remote Backup and Restore. The one part that does apply is Title 2 - Administrative Simplification.
Administrative Simplification
HIPAA Administrative Simplification consists of two areas. The first is commonly referred to as the Transactions and Code Sets Rule, although it also covers standardization of identifiers. This Rule requires standardization in all health-related electronic transactions, such as electronic transmission of insurance claims, verification of insurance, statements, explanations of benefits, remittance advice, etc. It is scheduled to take effect in October 2003.
Remote Backup and Restore service is not a health-related transaction, and is therefore not covered under the Transactions and Code Sets Rule.
The second area of Administrative Simplification is made up of two Rules, the Privacy Rule and the Security Rule. Because these two rules are where the most confusion arises, we will examine them in some detail.
Privacy and Security
Before the Privacy and Security Rules can be explained, we must understand what they are intended to protect. Both rules are intended to safeguard any health-related information that can be traced to or used to identify an individual. Some examples of this type of information include name, address, Date of Birth, Social Security number, or any other identifier. This type of information is referred to as Protected Health Information, or PHI.
The Privacy Rule and Security Rule are intended to protect PHI in different ways. The Privacy Rule sets out limits on who can have access to PHI and for what purpose. The Security Rule regulates the Procedural, Physical and Technical means that are used to protect PHI.
Privacy
The Privacy Rule places limits on the ways that PHI can be used and disclosed, and requires accounting of disclosures. But it is relevant at this point to review how Remote Backup and Restore works.
With a Remote Backup and Restore solution, all information to be backed up is encrypted by the local client before being transmitted, using a key that is stored locally. Data is stored on the remote server in its encrypted form. Data can only be recovered by transmitting it back to the local client, which decrypts it, again using the locally-stored key. The most important feature of this arrangement is that while the data is stored on the remote server, it is encrypted and not in a readable format. The remote server does not have access to the key, and without the key, the data cannot be converted to a readable format.
Remote Backup and Restore Services do not involve the use or disclosure of PHI. All back-up data is stored on the Remote Server in an encrypted form, and any access to PHI by a Remote Backup and Restore Service Provider would be incidental, if even possible. Remote Backup and Restore Service Providers are therefore not normally considered to be Business Associates, and are not covered by or required to be compliant with the HIPAA Administrative Simplification Privacy Rule.
Security
The Security Rule is the one part of HIPAA that clearly applies to the type of services that Remote Backup and Restore offers. The Final Security Rule was published in February 2003, and became effective on April 21, 2003. Compliance with this Rule will be required by April 21, 2005.
The Security Rule legislates the means that should be used to protect PHI. It requires that covered entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to PHI.
Examples of appropriate safeguards include:
- Establishment of clear Access Control policies, procedures, and technology to restrict who has authorized access to PHI.
- Establishment of restricted and locked areas where PHI is stored.
- Establishment of appropriate Data Backup, Disaster Recovery, and Emergency Mode Operation planning.
- Establishment of technical security mechanisms such as encryption to protect data that is transmitted via a network.Remote Backup and Restore is compliant with the Final Security Rule.
The Remote Backup and Restore client software contains all appropriate technical security mechanisms to protect the data that is transmitted to and from the Remote Backup and Restore Server.
Remote Backup and Restore fulfills a critical part of Data Backup, Disaster Recovery, and Emergency Mode Operations strategies by providing offsite backup that can be geographically distant from the client site to minimize the likelihood of data loss in a large-scale disaster. In the event of loss of the primary data center, data on a Remote Backup and Restore Server can easily be recovered from any replacement data center.
Covered entities will be required to comply with the HIPAA Administrative Simplification Security Rule by April 21, 2005. Remote Backup and Restore's remote backup service, as part of a comprehensive security plan, can be an important part of compliance strategy.
Disclaimer: Consult your legal counsel if you have questions about HIPAA and your specific situation. The all information presented on this page is believed to be factually correct. However, this page is not intended to give legal advice.