Medical professionals and other health care providers feel the pressure to make the conversion to electronic medical records from not only the federal government but also state government agencies and private insurers. Patient rights advocates repeated express concern about the security of Protected Health Information (PHI) in electronic form and its transmission over the internet for the purposes of coordinating care and submission of insurance claims. A review of the provisions of the Health Insurance Portability and Accountability Act (1996) serves as a great reassurance to consumers about the privacy of their health records. Healthcare providers and administrators face the challenge of devising and implementing secure server backup procedures not only as a part of a comprehensive risk management plan but also as a means to avoid sanctions by government regulators.
HIPPA regulations outline five primary areas pertaining to data management:
- Contingency Planning: The regulations require the establishment and implementation of a comprehensive plan to recover electronic medical records and other PHI in the event of an emergency, natural disaster, fire, vandalism. Remote server backup of exact copies of PHI that the healthcare provider can easily retrieve is required in the implementation of the contingency plan.
- Access Controls: Data is required to be accessible to only those with a need to know as defined by HIPAA. The implementation of this plan required establishing user credentials defining the scope and type of information the individual can access. The minimum of 128 bit SSL is required to secure credentials from theft.
- Audit Controls: This standard addresses the implementation involves implementation of a plan addressing the mechanisms monitoring activity in the primary information systems as well as the remote server backup.
- Data Integrity: HIPAA requirements specify information systems used to process and store electronic medical records authentic PHI in the system and verify there are no unauthorized changes to PHI either at the primary terminal or in the remote server backup of the information.
- Authentication: The electronic medical record system must have a means of verifying the identity and credentials of entities or individuals accessing PHI either at the primary terminal or in the remote server backup of the information.
The complexity of the HIPAA regulations and the sanctions issued by regulators for failure to be in compliance of these standards necessitate healthcare agencies to evaluate carefully the security of their electronic medical records. Given record retention requirement for medical records being for the life of the patient in most cases, remote online data storage is a necessity. Healthcare information technology administrators must carefully evaluate the ability of their server backup provider to meet the standards outlined in HIPAA. A secured data storage provider with knowledge of the HIPAA standards is a valuable partner in navigating the regulations and assuring compliance.
When choosing a server backup provider, it is essential to ensure the service provides Continuous Data Protection to monitor the changes in files so nothing is lost. The remote server must be able to recognize the electronic medical record application on the user side in order to prevent corruption of files. The service needs to provide user side passwords for access to encrypted data, which are resistant to brute force hacking techniques, so there is no unauthorized access to PHI. Managed remote server backup services provide the advantage of monitoring the activity of the servers fulfilling the HIPAA standards related to audit controls and data integrity. A comprehensive web-based user control panel for the remote server is required in the event of an onsite audit of the healthcare agency.