NovaBACKUP Security Blog

So, You’re Finally Taking A Closer Look at HIPAA?

Welcome to the future!

While it may not feel like it (still no flying cars), the world and our daily lives have become far more complex. Especially when it comes to how we access, move, and store data. When it comes to healthcare, these advancements also mean increased potential for the unintended breach of a patient’s privacy.

Download The 5 Most Overlooked Steps to HIPAA Compliance.

HIPAA ComplianceTake the steps necessary to maximize your HIPAA compliance.

HIPAA is Part of Our Daily Lives

The high-tech act significantly increased the civil monetary penalties for HIPAA privacy violations or lack of breach notification, while the federal government can always impose criminal penalties.

This has created a sense of urgency for medical and dental practices to better understand their security requirements and reevaluate their privacy policies.

Is Your Practice Fully HIPAA Compliant?

How many practices feel they are only 90, 75, or even 50% HIPAA Compliant? Many facilities may not even know that just because they don’t send electronic claims, it does not release them from the legal and ethical obligation to protect patient privacy.

The most daunting and time-consuming challenge is the risk analysis. It is multi-layered and involves a taking hard look at each aspect of your administrative, technical, and security safeguards:

  • Determine the level of risk
  • Determine the likelihood of threat occurrence & potential impact
  • Identify security measures and finalize documentation
  • Develop written procedures & policies
  • Ongoing training & documentation

Next Step: Confronting and Correcting

Once your risk analysis is complete, it’s time to develop written policies and procedures based on what you’ve learned.

Lastly, you are required to have ONGOING training for your team. What does “ongoing” mean?
I suggest that at least once a month you set aside 30 minutes to discuss issues that may have arisen or situations that need correction. It is also a great time to “work your way through” the extensive procedure manual by going over a few pages at a time.

A critical aspect of this is to document the training. Like everything else… you must be able to prove that this is something you are taking seriously.

A breach occurs when the privacy or security of the patient is compromised because someone acquired, accessed, used, or disclosed protected patient information.

What Constitutes the Need for a Breach Notification?

  1. The practice is not required to report a breach, if, through their risk analysis, they can prove there is a low probability that the information has been compromised.
  2. The practice is required to notify those affected. Oral disclosure (spoken word) meets the definition of a breach.
  3. Business Associates must notify the covered entity of a breach ASAP, but no later than 60 calendar days, so it can be determined who is responsible for notification.
  4. The practice must put out the notification ASAP but no later than 60 calendar days after the discovery of the breach.
  5. For 10 or fewer persons, patients must be provided written notice, or be notified by telephone, email, or other forms of notification.
  6. For more than 10 persons, patients must be notified, and if they cannot be reached, then a conspicuous notice must be placed on the practice website home page for 90 days, or in a major media outlet in the geographical area of the persons affected by the breach.
  7. For 499 or fewer people affected, the practice must keep a log and submit it to HHS no later than 60 calendar days from the end of the calendar year.
  8. For 500 or more persons affected: if a breach involves 500 or more persons, then the practice must notify HHS without unreasonable delay, and no later than 60 calendar days from discovery. The practice must ALSO notify prominent media outlets (usually a press release) no later than 60 calendar days after discovery.

In Matters of Data Security

In my experience as a HIPAA consultant, most of my smaller clients are dental practices with 1-3 doctors backing up their clinical software and patient information. They usually do not have the luxury of a dedicated IT staff member, and often they rely on their preferred IT integrator, or the most technical person in the office to get the job done. Often this means, that the backup method they have been utilizing is not secure.

Some offices may back up when they close the month but have never tested restoring data from their backups. They may backup to a tape daily, but only have their data located onsite – possibly even unencrypted. We’ve even seen cases where there was no backup being done due to confused policies, and the assumption that someone else was doing it.

Practices must perform daily backups using a product such as NovaBACKUP for them to be protected from data loss and to keep them in compliance with HIPAA. Not only does NovaBACKUP meet the stricter HIPAA mandates, but their support team is also located locally for easy access, offering remote Setup Assistance.

Having an automated backup schedule reduces the amount of effort required by the practice, while email summary reports deliver immediate confirmation that backups have been completed successfully.
These reports make the Security Officials' job much easier in terms of auditing, providing a level of confidence that a restore can be rapidly accomplished should data ever be lost or compromised.

Keep Calm and Achieve Compliance

It’s all about assessment and mitigation. Reaching the state of HIPAA compliance is an ongoing process. While the multiple layers of rules and regulations can be intimidating, this should certainly not cause you to delay in taking on the issues of data security in your environment. You must get started on this process right away! If you are selected for an audit, you could be required to produce your procedural manual and risk assessment in as little as 10 days.

What I have tried to accomplish here today is to provide an overview of the basic information that can work as a first step toward bringing your office into compliance. Taking the next step means a risk analysis and putting together a comprehensive HIPAA protocol and policy program.

Theresa-SheppardA special thanks to Theresa Sheppard for sharing her insight on HIPAA compliance.

For information about HIPAA-compliant backup software visit: