HIPAA Compliance and OBS Online Backup

Similar documents
HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA COMPLIANCE AND

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security and Privacy Policies & Procedures

HIPAA Federal Security Rule H I P A A

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Data Backup and Contingency Planning Procedure

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA Security Checklist

HIPAA Security Checklist

HIPAA Security Rule Policy Map

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

HIPAA Compliance Checklist

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

The simplified guide to. HIPAA compliance

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Guide: HIPAA. GoToMeeting and HIPAA Compliance. Privacy, productivity and remote support. gotomeeting.com

HIPAA Compliance & Privacy What You Need to Know Now

efolder White Paper: HIPAA Compliance

HIPAA AND SECURITY. For Healthcare Organizations

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

HIPAA / HITECH Overview of Capabilities and Protected Health Information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

Support for the HIPAA Security Rule

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

WHITE PAPER- Managed Services Security Practices

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SECURITY & PRIVACY DOCUMENTATION

HIPAA Security Manual

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

esureit Online Backup vs. Portable Media

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA COMPLIANCE FOR VOYANCE

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Disaster recovery planning for health care data and HIPAA compliance regulations

Security Audit What Why

Information Security in Corporation

Implementing an Audit Program for HIPAA Compliance

Healthcare Privacy and Security:

product overview CRASH

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA Controls. Powered by Auditor Mapping.

HIPAA RISK ADVISOR SAMPLE REPORT

Data Recovery Policy

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

HIPAA Regulatory Compliance

MultiPlan Selects CyrusOne for Exceptional Colocation and Flexible Solutions

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

The ABCs of HIPAA Security

HIPAA Privacy, Security and Breach Notification

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Information Security Policy

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

Putting It All Together:

Data Center Operations Guide

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

HIPAA Security Awareness Training

Checklist: Credit Union Information Security and Privacy Policies

NMHC HIPAA Security Training Version

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Website Privacy Policy

A Security Risk Analysis is More Than Meaningful Use

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

Subject: University Information Technology Resource Security Policy: OUTDATED

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

How Managed File Transfer Addresses HIPAA Requirements for ephi

TECHNOLOGY OVERVIEW INTRONIS CLOUD BACKUP & RECOVERY

HIPAA Security Rule s Technical Safeguards - Compliance

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

NOTICE OF PRIVACY PRACTICES

Information Technology Disaster Recovery Planning Audit Redacted Public Report

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Transcription:

WHITE PAPER HIPAA Compliance and OBS Online Backup

Table of Contents Table of Contents 2 HIPAA Compliance and the Office Backup Solutions 3 Introduction 3 More about the HIPAA Security Rule 3 HIPAA Security Rule and Electronic Data Backup 4 Office Backup Solutions OBS 5 HIPAA Compliance and OBS Online Backup 5 OBS Security and Encryption 6 OBS Logging and Archiving 7 Backing Up and Restoring with OBS 7 OBS Feature and Benefits Summary 8 For more information about OBS, please visit our website or contact us 9

HIPAA Compliance and the Office Backup Solutions Introduction In 1996, Congress passed the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA was designed to reduce the administrative costs of healthcare, to promote the confidentiality and portability of patient records, to develop standards for consistency in the health care industry, and to provide an incentive for electronic communications. HIPAA applies to any health care providers, health plans and clearinghouses (collectively "Covered Entities") that electronically maintain or transmit health information pertaining to individuals. Covered Entities must have appropriate measures that address the physical, technical and administrative components of patient data privacy. With the exception of small health plans, all Covered Entities must have data security standards in place by April 21, 2005, when the Standards for the Security of Electronic Protected Health Information (the "Security Rule") of HIPAA goes into effect for most health care providers. Small health plans are exempted until April 21, 2006. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data. Among other things, Covered Entities will be required to have a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan. Fortunately, there is a simple and affordable way to meet many of these security and contingency requirements: Office Backup Solutions. More about the HIPAA Security Rule The Security Rule applies to electronic protected health information either transmitted by electronic media or maintained in electronic media. Covered entities that maintain or transmit protected health information are required by the Security Rule (see 45 C.F.R. 164.306) to: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably anticipated uses or disclosures of such

information that are not permitted or required under subpart E of this part. 4. Ensure compliance with this subpart by its workforce. According to the HIPAA regulations, Covered Entities are allowed to use a flexible approach when implementing the above requirements. Specifically: 1. Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. 2. In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) (iii) (iv) The covered entity's technical infrastructure, hardware, and software security capabilities. The costs of security measures. The probability and criticality of potential risks to electronic protected health information. The Security Rule is further detailed through 18 technical standards and 36 implementation specifications. These standards and specifications are classified into four categories: administrative safeguards, physical safeguards, technical safeguards and organizational requirements. HIPAA Security Rule and Electronic Data Backup A number of the Security Rule's standard and specifications apply to the backup and safekeeping of electronic data. Covered Entities must have a contingency plan and: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information (Administrative Safeguards - 164.308(a)(7)(i)). This contingency plan must be implemented as follows: Data backup plan (Required). Establish and implement procedures to create and

maintain retrievable exact copies of electronic protected health information. (A) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (B) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Covered Entities must also have certain physical safeguards, such as facility access controls. They must: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed (Physical Safeguards - 164.310(a)(1)). The contingency operations should establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency ( 164.310(a)(2)(i)). In addition, Covered Entities must implement certain technical safeguards ( 164.312) to, among other things: Limit access to and electronic protected health information. Encrypt and decrypt electronic protected health information. Put into place audit controls that record and examine activity in information systems that contain or use electronic protected health information. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Office Backup Solutions OBS HIPAA Compliance and OBS Online Backup OBS online backup can help your health organization meet HIPAA compliance requirements, specifically those of the Security Rule.

OBS, from GMx Solutions, is a secure online backup service that automates the process of backing up electronic data. OBS was created with healthcare providers in mind, to satisfy the broad need for an easy to use, automated and secure method of backing up data offsite. The goal of OBS was to design a cost-effective backup service that could be used by anyone regardless of computer expertise. We listened to our customers so that we can provide a solution that meets their expectations. OBS provides most of the functionality and features of backup systems used by Fortune 500 companies. However the key is that it is easy to use and does not require office staff time. OBS provides a backup solution that is effortless to setup, easy to use, completely automatic and most importantly, secure and reliable. OBS Security and Encryption All data, including patient and billing records, is encrypted before it leaves the customer s computer(s) and is never accessible without the customer s encryption key. This encryption key only known by the medical office and is never transmitted over the Internet nor is it stored on GMx Solutions' servers. Only the customer has access to the data in their files, thus eliminating the threat of unauthorized access. GMx Solutions, even if the customer s requests, cannot access the data in the files. Each file is individually encrypted using a unique 256 bit encryption key, easily software generated by the customer. OBS uses 256-bit Advanced Encryption Standard (AES) encryption technology. AES encryption was developed by the U.S. National Institute of Standards and Technology (NIST) and is now the state-of-theart standard encryption technique for both commercial and government applications. Moreover, in June 2003, 128-AES was approved by the United State's National Security Agency (NSA) for use encrypting the U.S. government's documents classified "TOP SECRET." We use 256-bit AES encryption technology. Another way to put it is that 256 bit encryption has 1.1 x 10 77 possible 256-bit keys combinations to crack it. Assuming that one could build a machine that could recover a 128 bit AES key in a second (i.e., try 2 55 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a just a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. Source the National Technical Information Service (NTIS) www.ntis.gov. For added security, and to meet the Security Rule's transmission requirements, each encrypted file is then sent securely over the Internet. It is encrypted at all times using the 256-bit AES encryption while it is being sent over the Internet, to and from the GMx Solutions servers.

Further, all user data is sent to and stored in two redundant secure data centers, located 2,000 miles apart. Each data center has 24/7 onsite monitoring, advanced security technology, backup generators and redundant connections to the Internet. OBS Logging and Archiving The process is controlled and monitored at each stage of the daily backup. stages the process are: The 1. Locate all of the data files to be backed up 2. Encrypt, compress, and store them in a local holding area 3. Securely transmit the data is copied to the OBS offsite backup server. If all items are done successfully, then our dashboard has a green light for your account. By monitoring each stage of the process we can provide you a quick resolution if there is ever is a problem. If any stage fails, a trouble ticket is created with our helpdesk, and the customer is informed. Backup are normally processed during your off-hours, usually between 6 PM and 6 AM (based on your local time), however this is completely customizable. As an added service we can help resolve problems for you. Problems that are a result of a change on your system that are likely to cause delays getting your office started the next morning can be remotely addressed. If the software you use some of the standards that we are familiar with our staff can detect and repair the cause of these problems and can either repair or give you guidance that will get you back on line much quicker than your software provider can. Many laws and regulations require long term data retention. OBS can accommodate any retention period the customer may require. Since the data is compressed during the encryption phase, the long-term data storage is economical. In addition, many vendors charge for data storage at the uncompressed rate. OBS saves you even more by only charging for stored files that have changed since the last backup! For further HIPAA compliance, CDs and DVDs of data are available for additional long-term archiving 1. Backing Up and Restoring with OBS Backups are automated, eliminating the need for manual data handling. Backups 1 Additional fees may apply.

will begin automatically according to each backup set's schedule, as long as the computer is on and functioning properly. Backups can also be initiated by the user at any time. Restores are performed by selecting the date to restore your files from via our customer access website, and then retrieving the files via your local GUI application which contains your unique decryption key. As desired, or for more significant restore operations, such a system failure, OBS technicians are available to assist. OBS Feature and Benefits Summary Automated, unattended data backups with built-in notifications. Ultimate data security via 256-AES bit encryption data is ALWAYS compressed and encrypted during transmission and storage. Restricted password access a secret encryption key can be specified for ultimate security, even OBS can not access your data. Off-site storage at secured data centers. Data is mirrored to secondary secure facilities for ultimate data availability. Extended storage is available. On-demand, exact copy data retrieval - 24x7x365. Optional monthly, quarterly, or annual CD or DVD archives are available. Our technology often detects problems before you do. Some Customer Quotes: Office Backup Solutions has saved us 2 hours or more every time our software provider makes a major change which is more often than we can afford. Hudson Florida Customer with 10 users. The service you provide your customer is essential for good backup practices. However the help you have provided us by isolating and defining the customer s problem saves us a lot of time too. A major medical software provider. A Tampa Property Management Company with 22 employees. We spent thousands on backup hardware, software and tapes. What we found out is that our backups were failing more than 75% of the time. Worse we did not have the in-

house expertise to restore the data. We sold our equipment on E-bay which will pay the first two years of our OBS service. Better yet, I sleep better knowing that we have OBS on call whenever we need them. My office staff was spending close to two hours a day of extra time doing the backups. Plus we had no assurance that the data was available if we needed it. Nor was it really secure. Thanks OBS. A Clearwater Florida General Practice Medical Office. If you or your staff is so inclined, they can see if the backup was successfully completed. You can also elect to receive a confirmation e-mail or just let us monitor that all designated files are backed up For more information about OBS, please visit our website or contact us GMx Solutions, LLC 13176 N. Dale Mabry Highway Suite 421 Tampa Florida, 33618 Phone 813-868-1105 Please note that nothing in this White Paper is intended to constitute legal advice. For more information about HIPAA and compliance with HIPAA requirements, please consult your legal counsel.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback