Protecting patient data isn’t usually the first thing family practitioners think about in the morning when they’re on their way to work. But in the aftermath of a natural disaster like Hurricane Sandy, which wreaked havoc all over the Northeast and mid-Atlantic regions over the past few days, it just might be.
Before the hurricane peaked, a few healthcare experts weighed in on what practices can do to best ensure their data is secure, whether they use cloud-based services or rely on in-house hardware/software systems.
Now, going forward, practices should reflect on whether their existing data backup plan will protect data in a HIPAA-compliant way. Bob Dupuis, practice director, Infrastructure and Security, at Burlington, Mass.-based Arcadia Solutions, told Physicians Practice that many large organizations have failed to do this and gotten penalized.
“We’ve seen organizations that have data below sea level impacted,” said Dupris. “Data should be encrypted whether it’s through a USB drive or cloud-based backup.”
HIPAA’s security rule includes required and recommended actions to ensure the security of protected patient health information. Additionally, the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, supports HIPAA by imposing stiff penalties on healthcare organizations found guilty of data breaches. Among the penalties: fines up to $1.5 million and the burden of notifying the media (as well as patients) if the breach involves more than 500 records.
“Take a look at your physical structure for your practice and where it’s located, so if the power is out and you’re not going to be at the office for a few days, it’s locked up tight,” said Dupris. “In addition, if you’ve had water problems in the past, make sure to address that. And make sure you have the appropriate power protection in place, so if the power does go out, things can shut down in a clean way.”
Ideally providers should have an UPS (uninterrupted power supply) in the event that power is lost, healthcare consultant Bruce Kleaveland told Physicians Practice.
“The UPS is a short-term battery backup that provides the practice with ability to power down in a systematic way in the event of power loss,” said Kleaveland. “They should have all of the data backed up on a physical medium that they can take with them and protect from any natural disaster. If there is a particular location is subject to flooding it would probably be prudent to temporarily move the server to a safe, secure place until the threat had passed.”
For more tips on how to secure and back up your patient data, check out our article “Data Security 101 for Physician Practices.”