Your Guide to HIPAA Contingency Plan Compliance With Disaster Recovery-as-a-Service

By Veronica Miller, Compliance Solutions Manager, Bluelock

The healthcare industry has undergone a radical digital shift in the past decade. As of 2014, more than 80 percent of U.S. hospitals adopted some type of electronic health record (EHR) system. Now, an industry that used to be dominated by thousands of tons of paper is finally shifting to a paperless way of life. The amount of data is expected to grow as technological innovations and interaction points with data proliferate.

While electronic data has brought ease to healthcare, luxury comes with dangers. Privacy, security, accessibility and continuity are among the top. HIPAA and HITECH regulations are calling for greater protection measures for personal health information (PHI) and the EHR environment.

Pressure from regulators plus major advancements in disaster recovery methodologies makes it the ideal time to establish or revamp your disaster recovery plan with Disaster Recovery-as-a-Service (DRaaS). Healthcare providers are increasingly moving disaster recovery (DR) to the cloud because of the costs and personnel required to manage a DR solution internally that will actually work when needed.

The following are the five simple steps for achieving HIPAA contingency plan compliance with DRaaS:

  1. Establish procedures to create and maintain retrievable copies of electronic health information.

Data should be frequently backed up to a completely secure, off-site location. This will give you access to your data even in the event of a disaster. Newer, cloud-enabled replication technology called Continuous Data Protection (CDP) makes any new data and system update sync instantly in real-time to your designated off-site location to ensure no data is lost. There’s also the option of using traditional backup technology to point your backup data to the cloud and store copies of the data in a secure, encrypted cloud-based repository.

To comply with HIPAA requirements, your DRaaS provider must also support continuous protection of your workload while recovering data off-site. 

  1. Establish procedures to restore any loss of data.

One of the most important parts of guarding your electronic data is organizing a plan for emergency data recovery. To do this, you should prepare a customized runbook for your disaster recovery plan that is regularly updated and tested as your organization evolves. This single document can ensure your organization’s ability to quickly get back up and running.

Be sure your team understands the procedures and processes of your disaster recovery plan, including how to access each application, its requirements for recovery and how it connects to other applications. Your DRaaS provider may offer assistance building your runbook, as well as provide training for your team.

  1. Create an emergency mode operation plan.

HIPAA requires an emergency mode operation plan that ensures your organization not only has an emergency plan, but can also operate securely in an emergency state. Certain DRaaS providers can enable your organization to run production and applications at a high level of security and efficiency at the DR site throughout an emergency. Depending on your provider, this level of security can be equal to or even higher than your day-to-day operations.

Although your team should have extensive training on executing your emergency mode operation plan, your DRaaS provider should be able to execute your runbook for data and application recovery in case your team cannot access key systems. Key items to work out beforehand include recovery point objectives (RPO) and recovery time objectives (RTO) as this will determine how far back your data is recovered and how quickly that recovered data will be fully accessible again.

  1. Complete periodic testing and revision of contingency plan.

In order to spot weaknesses and make adjustments to your contingency plan, be sure to regularly test your processes. With DRaaS, testing is more affordable and simpler than ever. This makes it easy to implement disaster recovery testing biannually, as recommended by standard IT best practices.

Your testing should analyze your organization’s response to scenarios in which the circumstances are not ideal, such as corrupted backups or the failure of major systems. This will allow you to include plans for these scenarios in your disaster recovery runbook so your team doesn’t have to make last minute decisions in the middle of a disaster.

  1. Assess the relative criticality of specific applications and data

Take time to prioritize which applications and data are most crucial to your organization. This will help your DRaaS provider ensure those highest on your list are top priority in recovery efforts. Customizing the recovery level of each application and data will let you restore the most important data immediately, while waiting to recover less important data during an emergency. Your recovery provider should be able to identify and recommend recovery levels for applications based on importance and criticality so your business can run its key systems in the event of a disaster.

Following these simple steps with DRaaS will help you comply with the HIPAA regulations for IT contingency plans. And when a disaster strikes, the preparation work your organization has completed will allow you to side step much of the challenge during a disaster event. For more detailed information on this process, check out this downloadable whitepaper.

About Veronica Miller: As Compliance Solutions Manager, Veronica is responsible for audit and compliance management, license management, client compliance and audit support, and process improvement initiatives. She is highly involved in Bluelock’s vendor selection and management, internal IT management, as well as special projects and initiatives.

.

LEAVE A REPLY

9 − 7 =