The U.S. Department of Labor has reported that more than half of U.S. companies have experienced a loss of data in the last two years. Perhaps even more frightening is that many companies that experience a significant data loss will likely go out of business within a few short years after. Especially for healthcare organizations, not having the proper data backup plan in place can create major consequences and embarrassment.

The HIPAA Security Rule requires healthcare providers to implement specific administrative, physical, and technical safeguards for protected electronic patient health information (ePHI). Additionally, Covered Entities must establish a contingency plan in the event of a natural disaster or cyber-attack that might lead to a significant loss of data. Here are three major requirements for a contingency plan as defined by HIPAA.

  • Data Backup—Create and execute a plan of action to produce and preserve retrievable exact duplicates of electronic protected health information.
  • Disaster Recovery—Develop and apply procedures to restore data loss.
  • Emergency Mode Operation—Organize and perform processes that allow a regular flow of urgent business along with measures for protecting the security of electronic protected health information during an emergency.

Key addressable standards related to the overall contingency plan requirements also include that plans should be based on an analysis of the criticality of all systems that receive, store, process, or transmit ePHI, and the plans should also be tested and revised periodically to ensure that data can be recovered in the event of an outage or loss.

A healthcare organization’s data backup solution should include several core functionality categories, including role-based access, offsite storage, storage facility security, data encryption, user authentication, and reporting. Above all, for healthcare organizations to efficiently abide by HIPAA requirements and execute proper testing, it is essential to consider working with electronic data vaulting experts.

You can’t afford to take chances when it comes to complying with HIPAA. LBMC Information Security’s team members have extensive experience in a variety of industries with security and compliance mandates, and we take data protection seriously. Contact us today to learn more.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.