Since 1996 HIPPA (Health Insurance Portability and Accountability Act) has afforded patients of medical institutions various privacy rights to protect personal information and medical records. This act provides industry standards relating to who will have access to medical records and how such records may be used, transmitted, and stored both in paper or digital format.
The standard outlines technical, physical, and administrative safeguards that must be implemented by any covered entity.
What is a HIPPAA Covered Entity?
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
However there are other organizations which may at times deal with protected medical records such as companies who deal with billing and debt collection, legal services, transcription services, and even certain IT services.
How Does HIPAA Apply to Data Recovery Services
In a perfect world where all HIPAA standards are followed it simply wouldn’t apply. HIPAA standards require covered entities to encrypt protected medical records, and even sets out that covered entities must ensure that proper backup and recovery measures are taken so as to avoid the need for any sort of outside data recovery service. However we don’t live in a perfect world and mistakes happen.
When any outside entity who is not a Covered Entity is performing work relating to protected medical records they are considered a Business Associate and must enter into a Business Associates Agreement Contract with the Covered Entity outlining that the same HIPAA compliant practices will be followed. Technically speaking this should not apply to an outside data recovery firm. HIPAA excludes services that fall under the following category from being considered a Business Associate:
With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all
A technician who is performing data recovery work on a failed hard drive or RAID array is not performing a service which involves the use or disclosure of protected health information (technically speaking) and any exposure to such records would be incidental. Also if HIPAA regulations were followed leading up to the data loss, the data should be in an encrypted state where it would be inaccessible by the technician.
However we realize that at times a series of mistakes could lead to un-encrypted records being stored on a digital storage device and could possibly be accessed by a data recovery professional. In such a case the data being viewed and later returned to the covered entity could be considered an act of disclosing protected medical records. To meet the requirements of such a situation Data Medics LLC has drafted a Business Associate Agreement Contract which we use when handling cases affected by HIPAA standards. You can download a sample using the button below:
How We Maintain HIPAA Confidentiality of Medical Records
Technical Safeguards: Patient records delivered on digital storage media to Data Medics should already be in an encrypted state and Data Medics personnel are never informed of the details of how to access or decrypt such records. During any period during which such storage media is connected to a computer system or other data recovery equipment, such computers and equipment are physically disconnected from all internal and external networks. A log is maintained to track the time(s) and employee(s) who ensured the disconnect took place. This same log is also used to verify that all digital storage media including any digital copies made during the recovery process is completely disconnected from the system before it is placed back onto the network. During the recovery process, efforts are made to minimize the likelihood of incidental viewing of the data. This is generally done by working entirely at a block level on the storage device and only allowing for “spot checks” to verify data integrity.
Physical Safeguards: During any period during which digital storage media possibly containing protected patient records is not actively being worked on such media is stored within a locked safe. The password to the safe is made available only to the supervising technician and the office manager. Also a chain of custody form is maintained for each item of digital storage media and is logged each time the media changes hands within the company.
Administrative Safeguards: While not a covered entity and therefore not subject to required administrative safeguards, Data Medics senior staff including its President periodically review the effectiveness of the safeguards and review logs and procedures to ensure that all protective measures are being followed as per company policy.