Protected health information, or PHI for short, is defined by HIPAA as information that identifies a patient by name, or information that when taken together or used with other information may be used to identify a patient. The goal of HIPAA is to protect patient privacy, so keeping this identifying health information private and secure is the main goal of storage. However, preventing data breaches and unauthorized access of stored information isn’t always as is easy as it sounds. Below, we will discuss how your practice and business associates can apply storage safeguards to keep PHI and ePHI safe in HIPAA compliant storage.
PHI vs ePHI
For decades, PHI has been the main focus of healthcare organizations. However, more and more healthcare organizations are utilizing ePHI, or electronic protected health information, to minimize storage costs and increase storage redundancy without adding additional paperwork.
Both PHI and ePHI need to be protected by applying the standards that HIPAA sets. While the storage of physical documents versus the storage of virtual documents may vary in procedure, both emphasize the need for strict access controls to prohibit unauthorized access, and both must comply with appropriate breach notification procedures. The following best practices will provide a more detailed explanation of how to implement the protection of each:
PHI Storage Best Practices
Depending on whether the PHI is physical or electronic, it will have to meet certain Technical, Administrative and Physical safeguards during storage and transmission in order to be HIPAA compliant. Both covered entities and business associates (cloud storage partners, etc) must implement these safeguards.
1. Administrative Best Practices — Covered entities and business associates should each appoint a security administrator to oversee that all storage best practices are being applied in accordance with HIPAA. This administrator should create storage policies, ensure Business Associates Agreements are being signed by all business associates and cloud providers, and conduct audits to ensure the practices in place are working as they should.
If you’re storing your ePHI with a cloud backup or cloud storage provider, they should undergo an annual, independent audit of their service organization controls to ensure their facilities and procedures are meeting or exceeding industry security standards.
Security administrators should also conduct a risk assessment to determine where PHI and ePHI lives within the organization, what risks threaten it (ie: natural disaster, malicious breach, etc), and then create a plan of technical and physical best practices to thwart these threats and reduce the risk they carry.
2. Physical Best Practices — applies to computers, workstations, servers, data centers, and all other locations where either ePHI or PHI is stored. Physical safeguards for PHI include keeping paper records in locked cabinets, storing PHI out of sight from unauthorized individuals, and providing physical access control to records via: a security authority, PIN pads, ID swipes, and more.
While ePHI is stored digitally, physical safeguards still apply. Hard drives, computers and portable devices are physical devices vulnerable to breach and data loss due to device loss, theft, natural disaster and negligence.
In addition, documents and ePHI stored in any physical location or on any physical device should be backed up to a non-physical location in the cloud to prevent loss or deletion of the patient’s data.
If you’re working with a cloud partner as a business associate to help you store and backup your data to the cloud, you’ll want to ensure they provide the appropriate physical safeguards at their data centers. These include biometric fingerprint scanners, armed security guards, locked server cabinets and more.
Remember that aside from HIPAA, each state sets its own records retention length for patient health information. This time period often covers the life of the patient, so you’ll want to ensure your cloud provider makes it possible for you to recover data for at least that long.
3. Technical Best Practices — Technical standards apply to all ePHI and must be implemented by both business associates and covered entities to protect and control access to and transmission of data.
When storing data in the cloud, it must first be transmitted. However, it’s important that ePHI is protected from unauthorized and malicious access even during transit to the cloud. For this reason, encryption alone is not enough. The cloud provider you select to store and backup your data should offer end-to-end encryption, meaning that the data will be encrypted even during transit.
To ensure business continuity and the ability to recover ePHI despite loss or deletion due to physical, human, or natural disaster, data should be backed up to the cloud with a provider who offers unlimited previous file version histories. Using a cloud backup service with this feature will allow you to recover patient health information from any point in time, and restore it to its original state if you realize too late its integrity has been jeopardized by a virus.
Cloud backup service like Nordic Backup and others provide end-to-end encryption with unlimited previous file versioning to ensure data is safe enroute to the cloud and can be restored back to any previous file version if the unfortunate occurs. In addition, by providing a backup service that operates continuously and automatically, your practice can eliminate the human error and risk involved in remember to schedule backups.