Is Your EHR Data Backed Up?

Sandra Olsen has seen heavy rainstorms, but the one storm the she'll truly never forget flooded her Milwaukee family medicine practice on July 22, 2010.

Olsen, the program administrator at The St. Joseph's Family Medicine Residency at Wheaton Franciscan Healthcare, a Medical College of Wisconsin (MCW) affiliate, had left her practice for the day. Shortly thereafter, Kevin Izard, one of practice's physicians, called and said the water from the rainstorm was rising, and fast.

"He said, 'Sandy, I can't see my car. My car is under water, and now the water's seeping into the clinic.'" Olsen recalls.

Since the practice was on the ground floor, Izard had to act fast, so he tried to move the 150-pound server off the floor. It was too heavy to move. The water got up to three feet and soaked the servers, computers, and all of the practice's equipment. "It took down everything; all of our servers," says Olsen.

Fortunately, the practice had a few things going for it. Thanks to its UPS (uninterruptable power supply), when the power went out servers were spurred to shut down gracefully. A combination of several variables helped the practice get up and running in three days: air drying the servers that got wet, using MCW's central information system to restore one of the failed servers, the fact that the practice used a NextGen EHR in lieu of paper records, and a little luck.

Other practices aren't always so lucky.

How can you make sure your precious patient information is protected in the event of a hard drive crash or a natural disaster? The answer depends on the type of EHR you are using and how much money you want to spend.

Why more data is at risk

Our 2011 Technology Survey, taken in the first quarter of this year, reveals that between one-third and one-half of practices have a fully implemented EHR, and hundreds more are in the process of EHR implementation.

But while electronic records are technically harder to physically damage, steal, or lose than insecure paper records, anyone who has experienced a crashed hard drive or a laptop that won't work after a coffee spill knows that electronic data is still vulnerable.

Unfortunately, data backup often takes a backseat at smaller practices that are focused on financing new technology to meet regulatory requirements.

"Data backup isn't something that they're thinking about until it's too late when they realize 'I need it,'" says Steve ZoBell, vice president of product development at EHR vendor ADP AdvancedMD. "They're focused on what it takes to get them productive in their space, and they don't think about it as much as they should, on both the backup and the security of the backup."

But the consequences of not backing up patient data, or backing it up poorly, could constitute a HIPAA violation if unencrypted data gets into the wrong hands, or worse: a permanent loss of hundreds, or even thousands, of your patient's personal health records.

Fortunately, there are many data-backup options for practices, which vary in cost and ease of implementation.

Weighing your backup options

Many practices back up electronic patient data by saving it to portable hard drives, tapes, and discs. This low-budget backup method is better than doing nothing, but not by much.

"We've definitely come into situations where people were relying on tape and found out when they needed the tape that it didn't work," says Dan Haurey, president of Exigent Technologies, a company that provides data backup services for small businesses, including specialty medical practices, in New York and New Jersey. "Tape backup is using essentially the same technology a cassette tape uses. It's magnetic media; it's subject to stretching and drying."

Another disadvantage of discs and tapes is a greater risk of loss or theft, which ultimately puts the practice at risk for fines due to violations of HIPAA privacy rules if backup data isn't encrypted.

That's why IT consultant Marion Jenkins, CEO of QSE Technologies, advises practices to do both offline and offsite backup.

Offline backup refers to backup copies of data that are not live and running (for example, backing up data to an external drive or server).

"This backup is the first line of defense and protects you against the most common types of errors and failures, and allows for quick recovery," says Jenkins. "It handles about 90 percent of the most common threats."

Offsite backup refers to the act of moving data offsite to another location (for example, to a branch office or to a data center in another city).

How you go about backing up data depends on factors ranging from your financial resources to whether your existing EHR system is an onsite, client-server-based system or an Internet-accessible, cloud-based system.

For practices with a client-server EHR that want to go beyond portable media device backup, a number of vendors offer sophisticated technology that is programmed to perform routine backups several times per day for a small monthly service fee.

There is also the option of upgrading to virtualization-server technology, which is what St. Joseph's Family Medicine Residency did. Virtualization servers hold multiple virtual machines in one space, and can be programmed to take "snapshots" (virtual copies) of existing data at regular intervals.

"Restoring from a snapshot is a much more efficient process because I can restore from a point in time," says Ody Granados, St. Joseph's director of information services.

What's different with a cloud-based EHR is that vendors provide hosted data storage services through the use of multiple remote backup centers. Data is accessed via Internet and managed remotely, so practices don't have to worry about backing up data themselves.

"In a client-server environment, you don't have the ability to have multiple redundancies," says ZoBell.

Becky Horton, an administrator for three Alabama practices, credits a cloud-based EHR for the fact that she could immediately access her practices' data in the aftermath a 200-tornado outbreak in April, which occurred the same week of the infamous Joplin, Mo., tornado.

"I was able to drive 20 minutes away to a public library and access that information and transmit claims to a clearinghouse," says Horton. "Though there was no access to the main computers, I was able to get into the systems via the Web."

Practices shopping for EHRs should keep in mind that they will also want to back up other data, such as patient-referral letter PDFs or Excel financial records. Often times, cloud-based EHR vendors don't offer those extra services for non-EHR data, Jenkins warns.

Also, in a cloud scenario, practices have less control.

"Practices considering taking their EHR into the cloud should look at a vendor's data-retention policy," advises ZoBell. "How are they doing backup? How are they getting the data secured? How can a customer access that backup data?"

Lessons learned

As you fine-tune your practice's data backup plans, consider the lessons learned by practices whose data was put at risk.

While St. Joseph's was lucky that the flood of July 2010 didn't destroy all of its servers, the experience of the flood prompted the practice to make some important changes. In addition to adding a virtualization server, St. Joseph's other smaller servers now reside on the second floor of the medical facility. The practice also manually backs up data with tapes on a weekly basis, and stores them offsite, says Granados.

"If water gets to the second floor, I'm not worrying about the server," says Olsen.

The practice also manually backed up data with tapes on a weekly basis, which are stored offsite, says Granados.

For administrator Horton, the experience of managing a practice through the course of a natural disaster has sold her on the virtues of data backup.

"I would never go back to having to save information on a flash drive, and lock it, and put it in a safe," says Horton. "That's a lot of extra worry. You don't have to worry about whether or not your information is going to be gone."

Marisa Torrieri is an associate editor at Physicians Practice. She can be reached at marisa.torrieri@ubm.com.

This article originally appeared in the November 2011 issue of Physicians Practice.