In computing the phrase backup means to copy files to a second off site medium (a disk or tape or to the cloud) as a precaution in case the first medium fails. One of the cardinal rules in using computers is back up your files regularly and store the backup off premisses.
Even the most reliable computer is apt to break down eventually. Most professionals recommend that you make a minimum of three(3) backups of all your files. To be especially safe, you should keep the backup in a different off site location from the others. You can back up files using operating system commands, or you can buy a special-purpose backup utility, or you can use the Accra Remote Backup Service (secure and encrypted).
Most businesses employ complete backup solutions that provides storage on removable media, data compression, automatic backups to off-site storage and automated scheduling to increase the reliability of the backups.
Filopto Backup Recommendations
Filopto System Backups must be done on a regular (daily) basis. You must regularly test your backups to insure that they work. We recommend that you have at a minimum of three(3) backups of your Filopto system at all times and that they be encrypted and stored off site in a secure environment (minimum requirements per most PHI and HIPAA legislation).
Accra Solutions Inc has integrated an optional secure remote backup service into Filopto. Located in the Configuration Manager tab this service automated the backup task for you and meets or exceeds all governments backup requirements. See the Help section on this service for more details. Accra Backup Service
Important
Never backup Filopto databases when someone is in the Filopto program or is using it. All users must be out of Filopto for a successful backup. Backing up Filopto when users are using it or logged-on to it "CAN" corrupt your database.
For maximum protection we recommend that you backup all of the Filopto data directories including its sub directories. You should also have a Full backup of your main server/PC.
If you are unfamiliar with backup strategies and methods, we strongly recommend that you contact a specialist in the field to assist you or contact Accra Solutions Inc.
|
HIPAA Security Rule and The HITECH Act
The PHI and HIPAA Security Final Rule sets out your responsibility for backing up your Patients data. Following are some comments on the requirements.
Disclaimer
These comments and its references are not legal advice. Consult qualified counsel for any legal issues that concern you, your organization, or questions on compliance.
•The rules are not optional - All CEs, including medical practices and BAs, must securely back up "retrievable exact copies of electronic protected health information" (CFR 164.308(7)(ii) (A)).
•Your data must be recoverable - Why else are you backing it up? You must be able to fully "restore any loss of data" (CFR 164.308(7)(ii) (B)). reason why you have to test it on a regular basis.
•You must get your data off-site (in case of disaster) - as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup and disaster recovery plan that stored backup copies of ePHI in the same location as the original data store, especially once it has been destroyed by some disaster?
•You must back up your data frequently - as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). In today's real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee would result in a significant data loss event if one had to recover from two days ago.
•Safeguards must continue in recovery mode - The same set of security requirements that applies under normal business operations must also apply during emergency mode. CEs and BAs cannot let their guard down (CFR 164.308(7)(ii) (C)).
•Encrypt or Destroy - HITECH says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act). HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)). Many CEs and BAs fail in this area because tape, CD's, DVD's, USB drives or disk-based backups are moved around freely, unencrypted.
•You must have written procedures related to your data backup and recovery plan - Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule.
•You must test your recovery - Backup is useless if your recovery fails, therefore the law requires that you "Implement procedures for periodic testing and revision of contingency plans." (CFR 164.308(7)(ii) (D)). Unfortunately, testing backup recovery can be time-consuming, so most companies rarely do it.
•Non-compliance penalties are severe - Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision. In September 2015 a doctors office was fine $750,000 for failure to meet the requirements. On August 3, 2016 a OHIO doctors group was hacked and 156GB of data was posted online by a hacking group.
