TPC-Journal-V2-Issue3

The Professional Counselor \Volume 2, Issue 3 194 should determine whether the company meets a brief checklist of requirements (see Table 1). There are a number of online backup services, marketed towards healthcare professionals, which describe themselves as “HIPAA-compliant.” However, this does not have a technical meaning—there is no certification for HIPAA compliance regarding client data backup services. It is the responsibility of the counselor or designated individual in a group practice to ensure that online backup meets HIPAA and HITECH requirements. Table 1 Quick Checklist for Online Backup HIPAA and HITECH require the counselor to be able to access accurate and current copies of all ePHI at any time, even in the event of a disaster that destroys copies located in a counselor’s office. Some forms of cloud storage may be an option if they meet the following minimum requirements, which can typically be ascertained by reading a site’s terms of service: • Data is monitored for changes and backed up immediately • Client-side software can be set up in such a way that unauthorized individuals cannot access data • Data is transmitted over an encrypted connection (e.g., https connections) • Documentation of physically secure storage; some services have multiple backup locations • Data cannot be accessed by staff at storage site under any circumstances, including a court order • Data is encrypted before transmission with at least 256-bit encryption (e.g., encryption is automatically performed client-side by the client software). Alternatively, data can be encrypted manually by the counselor before backup • (optional) Two-factor authentication (requiring a USB key or other secondary “token” to access archived data) Most popular cloud storage services advertise secure online backup with varying levels of encryption. However, these services are not all created equally and in many cases their process does not meet minimum standards. While transmission is typically encrypted as required by HIPAA, information stored by these services is not necessarily secure. Information may be encrypted at a physically secure site, but some services do have the technical ability to access any ePHI that is stored with them. For example, the terms of service at Dropbox, a popular backup and syncing service, state that: We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox (Dropbox, 2011, section 3, para 4). This means that someone other than the counselor or a designated individual could access ePHI. For example, if a counselor is involved in a lawsuit, a court order could cause the online storage company to disclose unencrypted ePHI without input from the counselor. However, as noted, they are not able to decrypt any information that the counselor encrypts before backing up, as suggested by HITECH. In most cases, counselors must ensure that data is encrypted before being sent to any such service. Counselors also are cautioned to pay close attention to the privacy policies at any backup service that they might use; many are less specific than the example above but still allow for the possibility of decrypting and releasing data with a court order.