Of all the HIPAA rules and regulations that we will be discussing in upcoming articles, in my mind, having a contingency plan is easily the most critical.
In dentistry, we use various terms like data backup, disaster recovery, and practice continuity, but they all mean the same thing: you need to have a solid backup of your critical practice data.
Of course, dental practices can and should have backup plans in place, for mostly reasons that go well beyond HIPAA compliance: any practice that loses their critical practice data would most likely not recover from that, and a practice that doesn’t have a way to get up and running quickly from a disaster will also suffer tremendous losses to the bottom line.
However, in this article, we need to discuss the five components on a HIPAA contingency plan. For those of you who want a reference, it’s HIPAA Rule 164.308 (a)(7):
Data Backup Plan: The actual wording from HIPAA is that you must “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information”. Hopefully, most of you already have this in place. The plan though should ensure that you are actually backing up all the ePHI (electronic Protected Health Information), That you have stored the backup in a safe and secure place, and that you backup frequently enough for your environment, which basically means daily for dental offices.
Disaster Recovery Plan: It’s not enough to have a plan to back up the data, you actually need to prove that you can restore that data should there be a disaster such as fire, flood, or theft. Also, HIPAA basically requires that the data be in more than one place, such as locally and offsite.
Emergency Mode Operation Plan: If you are running off a backup, the need for HIPAA compliance is still very much intact. Is that data encrypted? Does everyone have access to the data that can be monitored? Do you have other security measures in place to protect the data
Testing and Revision Procedures: Here’s the sticking point that I estimate 95% of dental offices aren’t doing: you MUST test the backups on a regular basis. And, revise your existing contingency plan as needed.
Application and Data Critical Analysis: That’s a mouthful! Basically, it means figuring out which data needs to be restored first (practice management data, for example), and which can be restored later (existing images).
So, what’s the best way to back up your data? I recommend a two-pronged approach. First, an “image” of your server, this is a snapshot of the entire server: programs, settings, data, everything. The beauty of an image is that you can restore an entire server in a matter of minutes. I normally recommend putting this image on a Network Attached Storage (NAS) device, which allows for backups every 15 minutes and rapid recovery. Of course, having this image locally won’t help you if the office burns down, so you need to also have an offsite backup. A cloud backup is the easiest and most secure way to handle this.
Dental offices should always have a backup and disaster recovery plan in place, but thanks to HIPAA, it’s now the law!
There’s no time like the present to reevaluate how you are backing up and protecting your patient data.