H.I.P.P.A.A Compliant Data Recovery

[Jared]

I'm just curious what other labs do when customers ask for HIPPA compliance when handling data recovery projects. We've always just handled it by keeping the station off network, cloning everything onto a single drive so nothing gets stored on the local machine at all, and not going back on network until it's been confirmed that both source and destination drive are disconnected. Then we log and verify that the clone is wiped promptly after the data is picked up.

How do you guys usually handle these cases. Maybe I'm taking it too far, I don't know. Just seems that off network is the only way to guarantee that it's 100% secure.

 

[LarrySabo]

I never get such cases, but your approach sounds good to me. What does the organization responsible for HIPPA enforcement have to say about DR processes (if anything). I might consider providing the clone to the customer rather than secure wiping it, to remove all doubt. However, if they don't trust your certification of what steps you take, why would they trust that you have no other copy?

 

[abedalkareem]

if they don't trust your certification of what steps you take, why would they trust that you have no other copy?

Logical question ?? and if the customer Don't trust your Data recovery lab , why they come over ??

the trust issue must be existed

 

[LarrySabo]

I don't think it matters what the customer thinks about your HIPPA processes; it's what the compliance regulatory/enforecemnt body requires that really counts, I suspect.

 

[Jared]

I don't think we'd ever be audited by the health department as we don't actually fall under HIPPAA regulations. But the law requires covered entities to sign a business associate agreement that basically says we will follow the standard as it applies and allow them to investigate/question our process to ensure it complies.

So far every healthcare provider we've done work for has been satisfied with our explanation of our process to keep it secure. I was just curious of the process others employ.

 

[pclab]

That doesn't apply here. No agency forces us any regulations.
Only company policies here. And if the client trust, all OK. If not, he can go to ask his/her friend for help.