With now that more than 8 in 10 physician practices having adopted EHRs coupled with the increased threats from natural disasters and cyberattacks, a critical issue has become: how best to protect electronic patient data? While current HIPAA regulations require the practice to take steps to back up patient information, implementing appropriate safeguards is a compliance issue and a clear business imperative.
The Medical Group Management Association’s most recent MGMA Stat poll asked healthcare leaders “Does your practice back up data from your EHR?” More than nine in 10 (92%) respondents indicated that their organizations back up EHR data, while only 8% stated they do not. Of those respondents indicating yes, 64% stated that they backed up their data using an off-site/cloud-based approach, 21% utilized an on-site data storage approach and 15% responded with “other.”
This poll was conducted on July 30, 2019, with 1,207 applicable responses.
HIPAA implications
Among the many requirements included in the 2005 HIPAA Security final rule, practices are required to ensure they have: (i) an up-to-date data backup and storage process; (ii) a data redundancy and emergency access plan (contingency in case of an emergency); and (iii) a disaster recovery and emergency access plan. The Office for Civil Rights (OCR), the federal agency that enforces HIPAA security, has the right to issue fines and order corrective plans should practices be found not to have implemented these requirements.
Critical questions to ask
While potential federal enforcement is a consideration for practices when developing a data backup strategy, arguably the more pressing consideration is ensuring patient data is available when and how clinical and administrative staff require it. Practice leaders need to ask themselves the following critical questions:
- How would patient care be impacted if our clinicians no longer had immediate access to medical records?
- How would cash flow be impeded if claims data were lost?
- How would the practice continue operations if all patient data were rendered unavailable?
Backup options
When it comes to data backup approaches, practices generally have two options: on-site or cloud-based. Both have their positives and negatives, but generally speaking off-site data backup systems provide better protection against natural disasters such as fires or floods. Cloud-based systems, however, require significant internet bandwidth to transmit data efficiently, and data backup and retrieval will be impacted should your internet service go down.
Issues to consider
Practices should consider the following issues when developing a data backup plan:
- Review the physical layout of your practice and room/s where your IT systems are located. Is there susceptibility to flooding or other issues?
- Consider installing a power protection system in the event of a power outage.
- While backing up clinical data from your EHR is critical, consider backing up other types of practice data including patient forms, billing information, practice emails and other data important to your practice.
- For on-site data backup systems, consider image-based systems as opposed to older tape-based technology.
- Depending on the type of data your practice is backing up (e.g., large image files not easily compressed that slow your internet speeds), you should consider hourly backups to minimize impact of power outages or other issues.
- Similarly, consider creating and storing monthly backups for an entire year to ensure the practice does not continue to save a corrupted file.
- Strongly consider deploying encryption programs to data at rest and in transit.
- For both on-site and cloud-based backup systems, practices are encouraged to test the data recovery process with their vendor on a regular basis.
- Compare the cost of on-site versus cloud-based backup options, but factor in the potential cost to the organization of a natural disaster or cyberattack.
- Develop a contingency plan to protect your practice should you not be able to access your electronic records. This plan would include manually conducting both administrative and clinical processes.
Resources
- MGMA member-benefit resource: Cybersecurity Action Steps for Medical Practices
- HHS Guidance on HIPAA: Security Standards: Physical Safeguards
MGMA Stat is a national poll that addresses practice management issues, the impact of new legislation and related topics. Participation is open to all healthcare leaders. Results of other polls and information on how to participate in MGMA Stat are available at: http://www.mgma.com/stat