HIPAA-compliant disaster recovery plans must spell out how data will be moved without violating HIPAA guidelines for privacy and security.
According to the Healthcare Billing and Management (HBMA) Billing Journal, both entities covered by HIPAA and their business associates must provide retrievable exact copies of electronic patient health information. Any data loss must be restored, and all data must be backed up offsite.
Wharfedale Technologies recently dealt with this problem when it helped a major healthcare company migrate its IT landscapes that were running SAP applications from a hosting vendor to its internal data center. The SAP application required a disaster recovery solution before going live from the in-house data center.
When planning for the migration, Wharfedale had to account for a large number of components including SAP ERP, SAP NetWeaver and SAP Solution Manager. In addition, Wharfedale had to consider bolt-ons like Taxware and middleware components like Webmethods.
Further complicating the landscape were a number of stacks including Java and ABAP as well as Oracle databases operating within a UNIX environment.
With HIPAA rules, non-compliance could result in fines as high as $1.5 million for each violation of a provision. Therefore, Wharfedale had to get the disaster recovery plan right to avoid HIPAA violations.
Wharfedale designed backend disk layout based on SAP application requirements. They developed a build plan for the hardware at the offsite storage location, and they developed monitoring capabilities for their disaster recovery solutions.
For the database-based replication disaster recovery solution, Wharfedale used native database tools and custom scripts to encompass solutions for database, database binaries, non-database file systems, NFS file systems, application, operating system and archive logs.
In addition to written procedures for data backup and recovery, entities covered by HIPAA must back up data frequently and then test their recovery procedures. All data at rest must be either encrypted or destroyed, which many organizations fail to do when they move around old tape or disk-based backups.
Healthcare companies that have failed to become compliant are nearly three years overdue. With stiff financial penalties for non-compliance, no one can afford to ignore disaster recovery planning.
Edited by
Brooke Neuman
