Guest Column | September 14, 2018

What Is HIPAA's Role In Disaster Recovery?

By Tim Mullahy, Liberty Center One

data loss disaster recovery business continuty

Business continuity is critical to every organization and every industry - but if you work in healthcare, it’s even more important. In large part, that’s due to HIPAA. That’s not the only reason, though.

What happens to your organization in the event of an emergency? If your infrastructure fails due to a natural disaster, how will you ensure business continuity? If there’s a data breach, what’s your response plan?

These are all questions you need to answer, no matter what industry you work in. As our world becomes increasingly digitized, the need for checks and balances to keep our organizations up and running in a disaster have grown more important than ever. Nowhere is that truer than in the healthcare field.

Yours is an industry where consistent access to patient data could be the difference between life and death. A field where the information you work with is of the most sensitive, most critical nature. A vertical that deals with some of the most intimate parts of its patients’ lives.

This is precisely why regulations like HIPAA exist. And it’s also why HIPAA includes a strict set of guidelines pertaining to disaster recovery. Per HIPAA guidelines, healthcare organizations and covered entities must develop and implement plans for:

  • Disaster recovery
  • Data backup
  • Emergency mode operations
  • Testing and revision procedures
  • Determining which applications and data are critical for operations

You have a duty of care to ensure that patients are in no way compromised during downtime, and that the security and integrity of their data are never put at risk. Fortunately, so long as you follow the guidelines established in HIPAA, it should not be terribly difficult to establish the policies and procedures necessary to make this so. To that end, you should take the following steps:

  1. Figure out which ePHI needs to be backed up and protected, and where it is located.
  2. Determine the method you will use to back up that data, where the backups will be situated, and how you will secure them.
  3. Determine how frequently those backups will be stored, and how those backups will be replicated.
  4. Determine the risks your organization is likeliest to face and create a distinctive plan for each threat. In addition, we’d advise also putting together a general response and recovery plan that can come into play when you face an emergency you did not expect. For each plan…
    1. Establish roles and responsibilities for all staff in the event of an emergency, and ensure the proper infrastructure is in place to keep workers in contact with one another during a crisis.
    2. Create documentation of all policies, processes, roles, and responsibilities. Ensure this documentation is readily available to all staff, and that it is regularly reviewed by your organization.
    3. Determine how your organization will ensure the confidentiality and integrity of critical infrastructure and data during an emergency, as well as what systems should be prioritized during restoration.
    4. Implement procedures for regular testing of disaster recovery processes - drills, training programs, and reminders for staff.

There is no other way to say it. Disaster recovery is as much a part of HIPAA as confidentiality and privacy. If you do not have clear contingencies in place to protect your systems, people, and data in an emergency, you are not compliant.

About The Author

Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.