HIPAA is more than keeping medical records secure

Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

On January 8, the Department of Health and Human Services (HHS) announced a settlement of $337,750 with USR Holdings, LLC, for a violation of the HIPAA regulations.

This is significant due to the nature of the HIPAA violation. Among the violations by USR Holdings, LLC was deletion of electronic protected health information.

Included in the statement from HHS is: “that they have backup procedures in place to be able to create exact copies of the electronic protected health information they hold, in the event health information is held for ransom or deleted”.

The loss of protected health information due to any event, including ransomware, is a HIPAA violation.

If your practice is hit by ransomware it is the proverbial double whammy because:

• Your data has been accessed by an unauthorized individual or process – First Violation
• You have lost your data – Second Violation

This underscores the need for regular backups of your data systems. Having a good backup program enables you to restore your data in case of any event that deletes, corrupts or destroys your data. Natural disasters, a fire in your office, a hard drive failure and many other factors can cause data to be lost or destroyed. Ransomware encrypts your data, making it inaccessible to you.

Not having access to your patient information can result in harm to patients. This is why HHS takes the issue of loss of patient data very seriously.

When you run a backup of your data, your backup program will typically give you a message “Backup Complete”. Unfortunately, there have been instances where practices have backed up their data every day and when they needed to restore from the backup the restoration process failed. To protect your practice from this unfortunate event it is important not only to back up your data, but also test restoring your backups on a regular basis.

To test your backups, you should either send a copy of your backup files to your software vendor and have them restore your data to one of their ‘test systems’ or you need to have a second set of computers at your practice and test restoring to that second set of computers. You NEVER want to test restoring to your ‘live’ system. If the test fails, your live data will be destroyed and you will lose it. Very few practices that we are aware of have a second set of computers that can be used to test restoring data, which is why we recommend you work with your vendors to test your backup systems.

You also want to have a written report from your vendor certifying your backups can be utilized to create an accurate and true system with all of your patient data. This documentation is very important should you experience an event and have to endure a HHS investigation.

For more information on protecting your practice from HIPAA related events please reach out to TLD Systems at:

https://www.tldsystems.com
phone: (631) 403 6687
email: [email protected]