Your Data Protection Responsibilities When It Comes to PHI

While the attempt to mandate vaccines for U.S. workers via the The Occupational Safety and Health Administration (OSHA) rule was recently struck down, the rule itself and the subsequent court rulings have brought the protection and security of sensitive healthcare information to the forefront. For the first time, businesses across industries were grappling with data privacy concerns that they hadn't had to consider previously.

For some companies, the mandate being overturned will be a relief. But for businesses who do handle Protected Health Information (PHI) — or expect to in the future — they can’t afford to ignore their data compliance and protection responsibilities. Here’s why PHI data compliance and security is so important and the critical role a backup and recovery solution plays in achieving both.

Protection of PHI is critically important because it ensures privacy of sensitive data. Companies who fail to protect this type of data are subject to significant non-compliance fines, as well as the inevitable impacts on reputation and trust.

Regardless of sector or industry, organizations should be examining their SaaS applications, in particular platforms like Salesforce and Microsoft Dynamics 365, to look at what PHI data may be stored there. For organizations in the healthcare industry, the guidelines are quite clear; proper management of PHI includes having a data backup and recovery solution in place. 

While specific HIPAA regulations may not apply to all organizations, employers who possess health information, like vaccination status, should examine their data protection policies to ensure that they meet the compliance requirements of internal, state, or federal data regulations. Several of those regulations require backups to be: 

• Frequent: In most circumstances, a daily backup is satisfactory, but sometimes backups must be scheduled to the hour or minute, depending on the type of record.
• Encrypted: Backed up data should be encrypted at rest and in transmission.
• Secure: Backed up data should have user authentication safeguards, including multi-factor password protection and role-based access controls to partition backup services and control who has access to them.
• Tested: Once successful backups have been achieved, the restore process must be tested to confirm the data integrity and how quickly the restore process takes to complete.
• Stored offsite: Backups must be stored in a separate location than production services and depending on the record, must be retained for a finite period of time — in some cases six years or more.

Data compliance and security are too important to ignore. If your company manages PHI or other types of sensitive and regulated data that must be protected, you must consider a backup and recovery solution...but not just any solution. Here are a few questions to ask yourself when considering your organization’s solution:

• Do you store any PHI data in your SaaS platform?
• What is your necessary recovery time objective (RTO) and recovery point objective (RPO)? 
• How frequently do you back up your data?
• If your SaaS provider was down, would you still be able to access your data?
• How frequently do you test your ability to recover data from a backup?
• How do you ensure data is retained within minimal and maximal retention timeframes?
• What regulatory requirements impact your data retention policy?

Depending how you answer these questions, you may want to consider a third-party backup and recovery solution. At OwnBackup, we’re the #1 SaaS data protection platform and meet all of the requirements of a HIPAA compliant backup and recovery solution. Most importantly, because our cloud application sits outside of the SaaS provider’s, our customers' backup files are always accessible to them even in the event of a SaaS provider outage or other critical event like a data breach.