One of the more common questions that will be asked during any HIPAA seminar I have spoken at, is “what do we do with our backup copies?” Obviously, you want to store the backup copies in a way that prevents an incident that damages or destroys your systems from also destroying your backup copies. Most companies will store their backups at an alternate location, such as a branch office. Some companies store their back up copies on site, but in lockbox or cabinet designed to protect the copies from fires and other disasters. The former is not always an option for small providers, as they have only one office. Likewise, the latter can be a rather expensive option.
Because many home health and hospice providers are small companies, they do not have many options for storing back up copies. I have often recommended having an owner or employee take the copies home as a simple and cost effective way to ensure the back up copies are stored separately from the originals. Although this method does address the cost concern, if not done properly, it can create other problems as a hospital system in the Pacific Northwest recently discovered.
According to an article published in Computerworld last week a large home health provider regularly sent backup copies home with an employee each evening. One evening, the employee’s car was broken into and all of the tapes and disks were stolen. The backup tapes and disks contained information on approximately 365,000 patients. The hospital has stopped storing backup copies at employees homes, but the real lesson in this story is how not to store backups with an owner or employee.
This breach illustrates that if you are sending backups home with an employee as your means of “offsite storage”, you should ensure a few things beforehand. First, the employee should be clearly instructed not to leave backup copies of patient data in their car overnight. Frankly, the employee should not be leaving any PHI in their car overnight. (This is a topic for another day, but your employees should not leave patient files in their cars unless in a locked container or in the trunk.) You should be very clear with whomever takes the backup copies home with them that they should be taken into the house with them. The employee should understand why this is a concern. If they do not understand, you should have somebody else handling this task. This is such a small step, it should not present a problem, but if the employee even forgets one time, you can have a large volume of patient information compromised.
Which leads to the next consideration, failing to properly store the data once at home should be a specific sanctionable offense in your privacy policies and procedures. The employee should know in advance that if they leave the back up copies in their car overnight, they will be sanctioned for violating your Security policies and procedures.
You should be very careful to whom you assign this responsibility. It may be better for your administrator to be responsible for taking backup copies home with her at night, because she will understand the importance of safeguarding this information.
As an additional safety measure, you should consider password protecting the backup copies so that if they are stolen, they will be harder to access.
Although a forgetful or lazy employee might make a mistake such as the employee in this case, it does not change the fact that for small providers an owner or employees home may in fact be the most reasonable means to ensure back up copies are stored separately form the providers systems. The experience of the provider in this case simply provides a warning to providers of additional steps to take with employees to prevent this reasonable practice form becoming a problem.
Permalink
