Data backup rules under HIPAA provide stiff penalties for noncompliance violations.

Cloud data storage penalties under HIPAA in line with current fines

Stephen Perkins

Online data backup requirements under the updated Health Insurance Portability and Accountability Act threaten significant penalties for failing to prevent security breaches that compromise personal health information, but a recent incident highlighted the dangers of other data storage methods.

Cloud data storage as mandated by HIPAA is intended to limit the risk that patient information will be exposed and penalizes both the healthcare provider and its data storage partners for any violations. The regulatory law puts firms at risk if any vulnerability is exploited, according to Ted Devine, CEO of TechInsurance.

"And it puts the onus of compliance on the healthcare companies it regulates," Devine said in a press release. "That means healthcare firms can be held liable for HIPAA violations made by any of their associates, including IT contractors they hired to build a website or update their network."

Devine recommended that healthcare providers protect themselves by verifying that their subcontractors are meeting HIPAA requirements by providing specific safeguards such as redundant data backup, password encryption, facility control and a high level of network security. Healthcare providers also are advised to require that contractors get insurance to cover reimbursement costs for any data breaches and to make sure that contractors have updated errors and omissions policies that can protect them in the event of a costly mistake.

Errors get expensive
Healthcare providers that are found to be in violation of the data backup requirements can face fines of up to $1.5 million annually after the Sept. 23 compliance deadline. Fines for patient data breaches are not new under existing regulations. The Advocate Medical Group could see penalties of $1 million or more for an incident in which four computers containing more than 4 million patient records were stolen from a hospital in Illinois, according to Modern Healthcare. The data contained on the computers was not encrypted as is required by law, though information on other computers in the hospital was protected.

"You can imagine the extent of the forensic analysis to uncover what was on those hard drives," said Kelly Jo Golson, senior vice president and chief marketing officer for Advocate Health Care. "To the best of our knowledge, this data goes back to the early 1990s."

The healthcare provider responded to the breach by offering credit monitoring services to affected patients and by reinforcing encryption programs and security protocols.

Categories: Cloud Backup, Data Compliance, Data Protection, Online Backup