When you do a back of your data (EHR, Digital Imaging, Billing Program) you hit a button to run your backup and at some point you get a message that your backup is complete. When you have a cloud service, your cloud provider is probably completing your backups.
If you got a message your backup is complete, then you must have a valid backup that you can use in case of an emergency, right? Not necessarily. There are many instances where business, including medical practices, have had to turn to their backups as part of a disaster recovery plan only to find that the file they thought had a backup of all their data was corrupted, or even worse empty.
One of the components of the HIPAA Security Rule is a process of testing your Disaster Recovery Plan which includes testing the process of restoring your backup files. It is much better to learn that there is a problem during a simulated disaster than to find out there is a problem when trying to recover from an actual disaster. Your HIPAA Security manual should have a section that details the process of disaster recovery and the steps you should take to recover. You should review this section of your HIPAA manual and know what steps are listed and make sure that the steps make sense. The plan should include a list of all systems that you will need to restore, the importance of each of the systems (Your Data Criticality Analysis) and the order in which the systems need to be restored.
Once you have reviewed your plan, it is time to test your plan. You want to include your vendors in your test scenario, since you will need to reach out to them to assist you should there be a true disaster. The most important thing to remember is that when you test restoring your data NEVER test restoring to your live system. Your live system has your current ‘good’ data. Should you attempt to restore a backup to your live system you will lose all information that was entered since your most recent backup. You do not want to lose that data. Even if you make a backup and it is 100% up to date you do not want to restore to your live system. If the restore process fails due to a corrupt backup file, you have just wiped out your live data, and your backup is corrupt, and you will not be able to recover. The best process for testing your backup is to have a backup computer on premises that you can restore to. You will want to work with your vendor to set up this backup computer to use for restoring your data. Once the data is restored to the backup computer you want to go through the program and make sure all of your patient information has been restored to your backup computer.
Another option is to send a copy of your backup to your software vendor. The vendor can then restore your backup files to one of their computers and can verify that the backup file can be used to restore data in case of a disaster.
Should you be using a cloud service provider for any of your services you want to reach out to that vendor and ask them how often they back up the data and how often they test the process of restoring the data. If you can get this information in writing and place a copy of the document in your HIPAA Security Manual that is a best practice.
Many practices are very good about backing up their EHR data, but forget about their other systems, such as digital imaging, accounting and payroll, and other vital business systems. Backing up these other vital systems is part of your business continuity plan.
A good business continuity plan protects your practice from the potential loss of vital data that you need to keep your practice running, protecting your income stream, and providing quality care to the patients who depend upon you.