WholesaleBackup’s Online Backup Service for Microsoft Windows and HIPAA Compliance
WholesaleBackup’s Online Backup Service for Microsoft Windows (WholesaleBackupDPS) does
not involve the use or disclosure of PHI (public health information), and any access to PHI by
WholesaleBackup would be incidental, if even possible given that all data transmitted to and
stored by WholesaleBackup is encrypted, and therefore WholesaleBackup is not a Business
Associate.
The only title of HIPAA that has bearing on WholesaleBackupDPS is the Administrative
Simplification in Title 2. WholesaleBackupDPS clearly falls within the requirements of the
HIPAA Administrative Simplification Security Rule. WholesaleBackup’s online backup software
for Microsoft Windows as well as the subscription Service it uses are compliant today, and can
provide a foundation for overall compliance.
The Security Rule specifies the means which should be used to protect PHI. It requires that
Covered Entities have appropriate Administrative Procedures, Physical Safeguards, and
Technical Safeguards to protect access to PHI.
Examples of appropriate safeguards include the establishment of
- Clear Access Control policies, procedures, and technology to restrict who has
authorized access to PHI. - Restricted and locked areas where PHI is stored.
- Appropriate Data Backup, Disaster Recovery, and Emergency Mode Operation
planning. - Technical security mechanisms such as encryption to protect data that is transmitted
via a network.
With WholesaleBackupDPS all information to be backed up is encrypted by the local client
computer before being transmitted, using a key that is stored locally. Data is stored on
WholesaleBackup’s servers in its encrypted form. Data can only be recovered by transmitting
it back to the local client, which decrypts it, again using the locally-stored key. The most
important feature of this arrangement is that while the data is stored on WholesaleBackup’s
servers, it is encrypted and not in a readable format. The remote server does not have access
to the key, and without the key, the data cannot be converted to a readable format.
WholesaleBackup’s client software contains all appropriate technical security mechanisms to
protect the data that is transmitted to and from WholesaleBackup’s servers and is therefore
compliant with the Final Security Rule.
WholesaleBackupDPS can form a critical part of Data Backup, Disaster Recovery, and
Emergency Mode Operations strategies by providing offsite backup that is in a different
location from the Covered Entity’s site to minimize the likelihood of data loss in a disaster.
WholesaleBackupDPS, as part of a comprehensive security plan, can be an important part of
complying with the HIPAA Administrative Simplification Security Rule.