If you are a medical practice such as a doctor or dentist office you or your IT company should be performing a HIPAA compliant backup regardless if it’s a local or cloud backup. Here are the few the basics you need to make sure is in place to stay compliant and protect your business.
There are two phases that describe a backup - “in transit” and when “at rest”. When a backup in transit it means the data is being transmitted somewhere. If you are backing up to the cloud, that transit portion must be secure by using an HTTPS session so the data is protected when it’s sending.
The next phase is when the data is at rest, which means when it’s being stored on a server, hard drive or some other resource. The backup itself must use a 256 bit encryption, this should be supported by whatever backup software you are using and if it isn’t than you should be looking for another backup provider. Typically when you encrypt backup using the software itself you must provide a master key to access it.
An encrypted backup is critically important if you are backing up to a USB drive in case of theft. Another scenario is if the USB drive is thrown out by mistake you will now have a possibility of someone taking it and reading your patient records which would be considered a breach. If you aren’t encrypting the backup itself you should encrypt the entire USB drive and document that you are doing that.
If you need HIPAA compliance and are located in the New York City or Long Island area please reach out to us for a free consultation. We’re an IT consulting company with over 15 years of experience.