Dr.Backup provides secure online backup service to organizations that create, maintain, receive or transmit electronic protected health information (“ePHI”.) These organizations are referred to as “Covered Entities” and are required by law to comply with the regulations associated with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”.)
When the original HIPAA regulations were created, there was no formal certification process available for online backup providers. This is because the regulations didn’t fully address the concept of “cloud computing” — nor the regulatory status of so-called “no-view” services that store encrypted information online.
Subsequent additions to the HIPAA regulations introduced with the Health Information Technology for Economic and Clinical Health Act (“HITECH”) Act changed that.
Cloud Service Providers ( “CSPs”) like Dr.Backup are now by regulation to be treated by Covered Entities as HIPAA “Business Associates” – and as such are subject to many of the same rules, regulations and penalties specified in the HIPAA/HITECH regulations.
Due to these regulatory changes, Dr.Backup now conducts regular risk assessments of its online backup service to comply with the HIPAA Security Rule. We must also implement various internal policies and procedures that ensure that we comply with the HIPAA Privacy and Breach Notification Rules. This is an ongoing process.
All data transferred to the Dr.Backup service is fully encrypted prior to transmission and remains encrypted while the data is at rest on our storage servers. Because of this, it is not possible for us to readily discern which data is ePHI. For this reason, and to be in compliance with HIPAA regulations, Covered Entities are required to enter in a HIPAA Business Associate Agreement with all vendors that create, maintain, transmit or receive ePHI – even if that information is stored online and encrypted.
Upon request, we generally will execute an approved Business Associate agreement to formalize our relationship with healthcare providers whose business practices require written documentation of our adherence to HIPAA regulations.
To expedite this compliance process, Dr.Backup maintains a ready-to-execute HIPAA Business Associate Agreement (“BAA”) on our web site. By executing our standard “BAA” you help ensure you are compliant with this aspect of the HIPAA regulation – and officially notify us that data you backup data contains ePHI.