HIPAA & HITECH Compliance
HIPAA Overview – The U.S. Department of Health and Human Services implemented the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which address the use and disclosure of individuals’ health information by medical organizations, as well as standards for individuals’ privacy rights, to understand and control how their health information is used and protected. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. More details can be found at the Department of Health & Human Services.
HITECH Overview – The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, has significantly modified and strengthened many aspects of the HIPAA Security Rule, including the penalties that could be imposed for violations of the HIPAA rules. Basically, it cleared up a lot of gray areas, and at the same time allows for stricter penalties for non-compliance. ‘Covered Entities’ and ‘Business Associates’ are well defined and in fact, as of February, 2010, all ‘Business Associates’ must be fully compliant. ‘Business Associates’ include any entity or individual who has access to PHI (patient health information), and this includes EPHI (Electronic patient health information).
Who must comply? – According to the rules, all health plans, health care clearinghouses, and health care providers who transmits health information. (this includes doctors, chiropractors, dentists, medical imaging, hospitals, health insurance, etc.)
Will Offsite Computer Backup make us compliant? – We will help you become compliant, but we are not what makes you compliant. Safeguarding data is a major part of becoming compliant, and affected organizations must take ‘reasonable and appropriate’ precautions.
What part of HIPAA applies to backup? Federal Register Vol 68, no 34, sections 164.308 & 164.310 specifically refer to disaster recovery plans and data backup plans.
How does ocBackup help us comply?
- Encryption – 256 bit AES, Twofish or DESede. All data is fully encrypted prior to leaving the clients computer. Backups can not be restored without the encryption key. Offsite Computer Backup LLC does not keep a copy of any encryption keys.
- Offsite – Backups are physically stored offsite in a world class data center protected 24/7/365 by onsite security, cctv, biometric controlled access, and multiple redundant systems.
- Automated – Offsite Computer Backup LLC solutions are completely automated.
- Monitored – Daily email reports verify successful backups are happening as expected.
What else? – While there is no official certification for any backup software, Offsite Computer Backup LLC is a critical tool needed in becoming compliant. For more information about HIPAA compliance, please refer to the US Dept. of Health & Human Services, http://www.hhs.gov/ocr/hipaa. For more information on HITECH, see