Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery

If disaster strikes, how long will it take before PHI is available again?

Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.

HIPAA – The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI): availability, confidentiality and integrity. Of these, availability often takes second stage to security concerns, but in a real health emergency, is most important to patient health.

Availability means that PHI is always available, accessible and never lost. When a patient arrives at the emergency room at three o’clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient’s records at her fingertips. Patient records in the health care world is no longer a 9-5 job – and one of the main drivers behind electronic health records (EHR) is the portability and availability of patients’ records to health care providers around the clock.

Availability also means that PHI isn’t lost. HIPAA and the HITECH Act make Covered Entities and Business Associates responsible for making sure PHI isn’t lost. For electronic records, this means offsite data backups are imperative and offsite disaster recovery is strongly recommended.

From a computing and application infrastructure point of view, “availability” means 2 things:

1. Disaster Prevention – putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity.
2. Disaster Recovery – assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if there is a disaster in the primary data center.

Disaster Prevention is typically thought of in terms of “High Availability” – or redundant systems to assure that there is no single point of failure on the delivery of the application or data. Examples of high availability at the data center level include high availability power delivery through redundant generators, uninterruptible power supplies (UPSs), power distribution units (PDUs), and redundant power supplies in the servers. With high availability power, the failure of any element (generator, UPS, or power supply) does not affect the availability of the application – since the entire infrastructure is redundant.

Redundancy can also be delivered in the cloud server platform. For example, HIPAA compliant cloud servers run on redundant hardware hosts with multiple power supplies, multiple network connections to SANs, redundant controllers and redundant RAID drives. Again, any hardware failure or even complete shutdown of a hardware hosts will not affect the availability of the application and the PHI data.

Disaster Recovery is typically thought of in terms of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is the amount of time it takes to spin up the servers, network, application and data as a separate data center in the case that the application is shut down from a disaster.

RTOs can range from minutes to weeks depending on the technology selected. RPO is defined as how close to the disaster the data can be recovered, which is tied to how often the data is backed up. If backups are made every night, then the RPO is 24 hours (up to 24 hours of data can be lost). If continuous replication is used, the loss may be as short as a few minutes. The shorter the RTO and RPO, the better.

As a minimum, all HIPAA applications should use offsite backup. That way, if the production data center has a disaster or is destroyed, the PHI isn’t lost. The backup should be located a significant distance away to assure the same disaster doesn’t strike both sites. Every region of the country has a recommended best practices for geographic separation; in the Midwest, it’s at least 50 miles apart.

For critical PHI, a warm site disaster recovery infrastructure is ideal. Warm site disaster recovery means that the entire server environment is replicated including operating systems, applications, data, network and firewall setttings so that it is ready and waiting to take over at a moment’s notice. Several years ago, warm site disaster recovery was difficult and expensive.

Now, with the advent of cloud computing, disaster recovery has become very cost-effective. The advent of Disaster Recovery as a Service has made disaster recovery easier and more simple than before, with a service provider managing and maintaining all of the components that come with a proper disaster recovery site.

When you evaluate meeting HIPAA availability requirements for your health care applications and PHI, ask two key questions:

1. Is your application hosted in a high availability environment where the power infrastructure, servers and network infrastructure can sustain failures without impacting your application and PHI data?
2. How will your application and PHI data survive a disaster at the production data center? Do you need only to recover your data with offsite backup, or do you need your application and data to be back online in as short a time as possible?

How you answer these questions is critical to compliance with the availability criteria of HIPAA and the HITECH Act.

Next week we will look at an organizations security training and knowing where to find your security policy documents.

References:
Disaster Recovery for HIPAA Applications – It’s All About Availability of PHI
HIPAA Glossary of Terms
HIPAA Resources: Policies, Procedures and Training Materials

For HIPAA Compliant hosting, call 877.740.5028 or email [email protected]