The Department of Health and Human Services (hhs) Outlines Regulations for the Use and Dissemination of Individual Health Care Information

HIPAA, Administrative Simplification (AS) provisions, defines rules and requirement on privacy and security practices of health care information. In Title II, the Department of Health and Human Services (HHS) outlines regulations for the use and dissemination of individual health care information.

These rules apply to covered entities, including health plans, health care clearinghouses, such as outsourced billing companies and community health information systems and health care providers that transmit health care information in a way that is regulated by HIPAA. [Code of Federal Regulations
Title 45, Volume 1]

The Privacy Rule establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to a person. This includes any part of a patient’s medical record or payment history. [Code of Federal Regulations. Title 45, Volume 1]

Security Rule deals specifically with Electronic Protected Health Information (EPHI) and requires Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the act

Covered entities that out-source parts of their business processes to a trusted third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.

A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedure. The plan should document data priority and failure analysis, testing activities, and change control procedures.

Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Audits should be both routine and event-based.

In order to have an online backup that is HIPAA compliant you need to meet all the requirements of the Final HIPAA Security rule dated February 2003 and required after April 21, 2005.  You should ensure that a backup provider exceeds the standards set in the security rule by encrypting all data before it is sent over a secure SSL connection to the remote backup service. An effective solution is to have the Encryption Key generated by the customer and is known only to the customer and to ensure that the Key is not transmitted to the HIPAA compliant online backup server.

A HIPAA online backup provider should encrypted the data on the server with military grade encryption and not accessible to the backup provider or employees.  Ensure that the local backup client encrypts all data prior to transmission to the remote systems. Data can only be recovered by transmitting it back to the local client that decrypts the data using the encryption key.