There are many reasons to have a data backup plan within your practice—and legality is one of them.
Although phrases like “data backup” and “data recovery” may call to mind nefarious hackers and identity theft, the far more likely scenario is a physical disaster such as a fire or natural disaster. In such an event, could you access your patients’ information?
Aside from the obvious reasons you need to backup data, such as having access to your patients’ contact and billing information or your own patient visit notes, federal law mandates it. The HIPAA Final Security Rule states very plainly that all covered entities and business associates must have secure, exact copies of protected health information.
The first thing to consider when it comes to data backup (and recovery) is how the information is stored. If you use an electronic health records (EHR) system, there are two ways the data could be stored:
1. On-premises
This method, which involves using CDs, thumb drives, tape drives, or similar devices to copy all of your data daily, requires that someone manually perform the backup each day and that the backup device be moved to another location. As you can imagine there are some drawbacks including space, time, and expense.
2. Software as a service (SaaS)
If you’ve heard the phrase “cloud computing” then you’ve heard of SaaS. In this method, every keystroke is transmitted to servers off of the premises. The main problems with SaaS are security—federal regulations require your data be encrypted to maintain security—and cost.
SaaS is becoming increasingly common, partly because EHR systems are more often built for that method and because it offers some advantages that local, or on-premises backups, do not. Also, in most of the United States, good Internet connections are more readily available, which makes SaaS more reliable than it may have been in the past.
Choosing a vendor from which to purchase an EHR system may be the most complicated part of using SaaS for data backup. Many EHR systems have built-in data backup functions, and many vendors offer the service at an additional cost.
If using SaaS is appealing, you need to do some research on how it will fit in with your current workflow. If you have an EHR system, does it include data backup and recovery as part of the package? Is that a service the vendor offers? What is the cost comparison between what you are currently doing and the cost of the service from a vendor?
Another consideration is whether your software vendor is certified. Vendors who are certified through the Centers for Medicare and Medicaid Services (CMS) must meet some fairly rigorous standards and, as such, are very familiar with the regulations of HIPAA regarding data backup and recovery.