Securing your information is more than just common sense--it's a HIPAA must. Here's how to do it right.
Securing your information is more than just common sense it's a HIPAA must. Here's how to do it right.
Because they back up their computer work each day, the six doctors in a Texas practice weren't worried when the hard drive on their server crashed. The doctors replaced the drive and then attempted to restore their billing and scheduling data from the backup tapes.
Unfortunately, the tapes were blank. "Nobody had bothered to verify that the backup system was working," says Mark Johnson, president of a medical computing firm in Dallas called MediNetwork.
The practice eventually recovered most of its data from the crashed hard drive, but not before losing thousands of dollars in messed-up insurance claims.
If the prospect of financial pain doesn't motivate you to get your backup act together, perhaps a federal law will. HIPAA explicitly requires you to back up patients' "protected health information," or PHI.
What to back up. Take an inventory of your electronic data (another HIPAA requirement). If a fire, say, destroyed your computers, what information would you need in order to carry on as usual with replacement equipment? Obviously, you'll need to copy practice management data and electronic medical records. But don't forget electronic copies of transcription and referral letters as well as financial information stored in programs like QuickBooks, says Ron Sterling, president of Sterling Solutions, a health care computer consulting company in Silver Spring, MD.
When it comes to practice management and EMR systems, consultants say you should stow away a duplicate of a current version of the actual application programsincluding patchesin addition to backing up data files. Otherwise, if you try to rebuild your system combining the original version of the software with the data files, it may not work. Is your network configured so that application programs reside in the same computer as data files? Back them up together.
Tape is king. Technology choices for backup aboundCD-RW drives, DVD drives, Zip drives, external or removable hard drives, and online services. Nevertheless, the pros consider tape to be the most reliable and cost-effective. "Taping is slower, but that's no problem if you do it at night," says Ryan Haislar, a consultant with Computerease in Collinsville, IL. And other devices, except for backup hard drives, can't match tape's storage capacityreaching into the hundreds of gigabytes.
Granted, a soloist with just one computer probably can load all his data on a Zip disk. However, he's still better off with tape, even though it costs more, says John Whitinger, a system engineer with practice management software vendor Microsys Computing. "Your data is the lifeblood of the practice," says Whitinger. "Do you feel comfortable putting everything on a $99 Zip drive?"
A tape drive, tape-backup software, and the tapes themselves will cost anywhere from $750 to $5,000, depending on how much you need to back up and the quality of the equipment. Tape tip: Tapes don't last forever, so replace them according to the manufacturer's recommendations. Backing up on worn-out tapes jeopardizes your data.
Automate. Don't rely on your employees to remember to press a key every day to back up. Instead, use software to do it. These programs are typically sold together with tape drives. If you use another device, automate it with all-purpose software such as NovaBACKUP from NovaStor.com (www.novastor.com) or the backup utility that comes with Windows (in Windows XP, left-click on Start, go to All Programs, then Accessories, then System Tools, and then Backup).
When to back up. Normally, backups are scheduled every 24 hours at night when your system is idle. If you use tape, don't run the same tape over and over, says Sterling. Instead, rotate through a set of five or 10a tape for each weekday over one or two weeks. That way, if a virus corrupts your data files on Wednesday, and you discover the problem on Friday, you can restore the files from the clean Monday tape.
Some larger practices, drowning in data, find it too time-consuming to perform complete backups every night. Instead, they do incremental backups, copying only those files that have changed since the last backup. However, the incremental approach requires a full backup at least weekly.
Testing. Make sure you've copied what you intended to, lest you end up with a blank. Software for tape typically lets you choose a verification option, says Craig Passman, director of network services for Misys Healthcare Systems, a vendor of practice management and EMR software. Staffers should take pains to study the software's backup log for errors or malfunctions, he adds.
HIPAA requires you not only to devise a plan to restore lost data, but to test that plan. Experts admit that small practices may find it hard to comply, partly because they'd need a spare computer to conduct a trial run. However, there are a few options. Ask your software vendor if it would restore your system with backed-up data on its equipmentthe company may do so for free. Or ask the same favor of a consultant who helped set up your system.
Storage. To play it safe, take your backup media off-site. Too often, say consultants, staffers leave tapes on top of their computers. "They could be stolen, or destroyed in a fire," says MediNetwork's Mark Johnson. However, off-site storage should be safe and secure. In other words, don't let your tapes cook in a parked car.
It's prudent, though, to keep an extra copy of your data in a protected place at the office. While off-site copies are a must, they may not be readily accessible during an emergency. For as little as $200, you can buy a fireproof media safe for an on-site copy (this could serve as your weekly backup, as well).
There's one more insurance policy against disastera second hard drive in your server that contains everything written on the main drive. "Mirrored" hard drives can save the day if one drive crashes, but you'll still need a retrievable backup if a natural disaster wipes out your system. Fear Mother Nature just as much as HIPAA.
Robert Lowes. Backing-up data is forward-thinking. Medical Economics Oct. 24, 2003;80:TCP15.