SafeCopy and HIPAA Compliance

Is SafeCopy Backup HIPAA Compliant?

While there is no standard certification for HIPAA compliance by any backup software, SafeCopy Backup complies with the Final Security Rule, the Privacy Rule, and our data centers comply with the Physical Security section of the rules. That’s as good as any backup service can do.

At the time of this writing (March 24th, 2009) there is no HIPAA compliance certification for backup services or software. With that said, SafeCopy meets the security and privacy requirements necessary to help your organization be HIPAA compliant.

HIPAA requires healthcare providers to establish a written disaster plan in case of emergencies that threaten data. Part of this plan is a data backup and recovery plan. SafeCopy Backup is valuable as part of a larger data protection and disaster recovery plan.

SafeCopy Backup secures data using 128-bit SSL encryption before being sent over the Internet. During storage on our backup system we use military-grade 448 bit encryption. The data can only be decrypted by the end user login and is not available on the SafeCopy system or by our staff.

Who Must Comply with HIPAA?

In 1996, a bill known as the Kennedy-Kassebaum Bill was passed by the U.S. Congress and signed into law by President Bill Clinton. The new law was known as the Health Insurance Portability and Accountability Act of 1996, or more commonly, HIPAA. It had started as a measure to ensure that workers could keep their health insurance when they changed jobs. By the time of its passage, it had become much more complex and far-ranging, affecting the vast majority of all health-care entities in the United States.

Because of the complexity and wide range of HIPAA, there has been and continues to be a great deal of confusion about how it applies to many areas, including Online Backup.

Those who must comply with HIPAA fall into two categories. The first category is Covered Entities. Covered Entities include all health plans, health care clearinghouses, or health care providers who transmit health information in electronic form.

The second category is the Business Associates of those Covered Entities. A Business Associate is someone who performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.

Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information (PHI), and where any access to protected health information by such persons would be incidental, if at all.

What is the background of HIPAA?

The Five Parts of HIPAA

  • Title 1 – Health Insurance Portability – helps workers maintain insurance coverage when they change jobs
  • Title 2 – Administrative Simplification – standardizes electronic health care-related transactions, and the privacy and security of health information
  • Title 3 – Medical Savings Accounts & Health Insurance Tax Deductions
  • Title 4 – Enforcement of Group Health Plan provisions
  • Title 5 – Revenue Offset Provisions

Four of the five parts of HIPAA have no bearing on Online Backup. The one part that does apply is Title 2 – Administrative Simplification.

Title 2 – Administrative Simplification

HIPAA Administrative Simplification consists of two areas. The first is commonly referred to as the Transactions and Code Sets Rule, although it also covers standardization of identifiers. This Rule requires standardization in all health-related electronic transactions, such as electronic transmission of insurance claims, verification of insurance, statements, explanations of benefits, remittance advice, etc.

Online Backup is not a health-related transaction, and is therefore not covered under the Transactions and Code Sets Rule, so there are no compliance issues here.

The second area of Administrative Simplification is made up of two Rules, the Privacy Rule and the Security Rule. Because these two rules are where the most confusion arises, we will examine them in some detail.

Privacy and Security Rules Overview

Before the Privacy and Security Rules can be explained, we must understand what they are intended to protect. Both Rules are intended to safeguard any health-related information that can be traced to or used to identify an individual. Some examples of this type of information include name, address, Date of Birth, Social Security number, or any other identifier. This type of information is referred to as Protected Health Information, or PHI.

The Privacy Rule and Security Rule are intended to protect PHI in different ways. The Privacy Rule sets out limits on who can have access to PHI and for what purpose. The Security Rule regulates the Procedural, Physical and Technical means that are used to protect PHI.

Privacy Rule

The Privacy Rule places limits on the ways that PHI can be used and disclosed, and requires accounting of disclosures. SafeCopy Backup is designed so that only the user’s credentials can access the data. SafeCopy Backup secures data using 128-bit SSL encryption before being sent over the Internet. During storage on our backup system we use military-grade 448 bit encryption. The data can only be decrypted by the end user login and is not available on the SafeCopy system or by our staff.

Security Rule

The Security Rule is the one part of HIPAA that clearly applies to Online Backup Services. The Final Security Rule was published in February 2003, and became effective on April 21, 2003. Compliance with this Rule was required by April 21, 2005.

The Security Rule legislates the means that should be used to protect PHI. It requires that covered entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to PHI.

Examples of appropriate safeguards include:

  • Establishment of clear Access Control policies, procedures, and technology to restrict who has authorized access to PHI.
  • Establishment of restricted and locked areas where PHI is stored.
  • Establishment of appropriate Data Backup, Disaster Recovery, and Emergency Mode Operation planning.
  • SafeCopy Backup security mechanisms such as encryption to protect data that is transmitted.

SafeCopy Backup is compliant with the Final Security Rule and contains all appropriate technical security mechanisms to protect the data that is transmitted to and from the SafeCopy Backup Data Centers.

In addition, the SafeCopy Backup Data Centers are physically secured in protected buildings with card-access gates, security cameras inside and out, 24×7 presence of guards and technicians, redundant alarm systems, automatic fire supression, and multiple redundant Internet connections.

SafeCopy Backup can be an important part of your compliance strategy as part of a comprehensive security plan.

For more information on HIPAA please visit hipaa.org or hss.gov/ocr/hippa

Disclaimer

Please note that, although all information presented on this page is believed to be factually correct, this page is not intended to give legal advice. Please consult with your legal counsel if you have questions about your specific situation.