On January 8, HHS announced a settlement of $337,750 with USR Holdings for a violation of the HIPAA regulations.
This is significant due to the nature of the HIPAA Violation. Among the violations by USR Holdings was Deletion of electronic Protected Health Information.
Included in the statement from HHS is: “that they have backup procedures in place to be able to create exact copies of the electronic protected health information they hold, in the event health information is held for ransom or deleted”
The loss of protected health information due to any event, including ransomware, is a HIPAA violation.
If your practice is hit by ransomware, it is the proverbial double whammy
- 1. Your data has been accessed by an unauthorized individual or process – First Violation
- 2. You have lost your data – Second Violation
This underscores the need for regular backups of all of your data systems. Having a good backup program will enable you to restore your data in case of any event that deletes, corrupts or destroys your data. Natural Disasters, a fire in your office, a hard drive failure and many other factors can cause data to be lost or destroyed. Ransomware encrypts your data which makes it inaccessible to you.
Not having access to your patient information can result in harm to patients. This is the reason HHS takes the issue of loss of patient data very seriously.
When you run a backup of your data, your backup program will typically give you a message “Backup Complete”. Unfortunately, there have been instances where practices have backed up their data every day, seeing a Backup Complete message and when they needed to restore from the backup, the restoration process failed. To protect your practice from this unfortunate event it is important not only to back up your data, but also to test restoring your backups on a regular basis.
To test your backups, you should either send a copy of your backup files to your software vendor and have them restore your data to one of their ‘test systems’ or you need to have a second set of computers at your practice and test restoring to that second set of computers. You NEVER want to test restoring to your ‘live’ system. If the test fails, your live data will be destroyed, and you will lose your data. Very few practices that we are aware of have a full second set of computers that can be used to test restoring data, that is why we recommend that you work with your vendors to test your backup systems.
You also want to have a written report from your vendor that certifies your backups can be utilized to create an accurate and true system with all of your patient data. This documentation is very important should you experience an event and have to endure a HHS investigation.
For more information on protecting your practice from HIPAA related events please reach out to TLD Systems at
via email at info@tldsystems.com
via phone at 631 403 8867
Read Comments