{"id":1760,"date":"2012-02-13T00:00:00","date_gmt":"2012-02-13T00:00:00","guid":{"rendered":"http:\/\/otava.test\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/"},"modified":"2012-02-13T00:00:00","modified_gmt":"2012-02-13T00:00:00","slug":"five-questions-to-ask-your-business-associate-question-4-disaster-recovery","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/","title":{"rendered":"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery"},"content":{"rendered":"<div>\n<p><em><strong>If disaster strikes, how long will it take before PHI is available again?<\/strong><\/em><\/p>\n<p>Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.<\/p>\n<\/div>\n<div>\n<p><a href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/hipaa-compliant-cloud\/\">HIPAA<\/a> \u2013 The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI): availability, confidentiality and integrity. Of these, availability often takes second stage to security concerns, but in a real health emergency, is most important to patient health.<\/p>\n<p>Availability means that PHI is always available, accessible and never lost. When a patient arrives at the emergency room at three o\u2019clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient\u2019s records at her fingertips. Patient records in the health care world is no longer a 9-5 job \u2013 and one of the main drivers behind electronic health records (EHR) is the portability and availability of patients\u2019 records to health care providers around the clock.<\/p>\n<p>Availability also means that PHI isn\u2019t lost. HIPAA and the HITECH Act make Covered Entities and Business Associates responsible for making sure PHI isn\u2019t lost. For electronic records, this means offsite data backups are imperative and offsite\u00a0<a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/data-protection\/disaster-recovery-as-a-service\">disaster recovery<\/a>\u00a0is strongly recommended.<\/p>\n<p>From a computing and application infrastructure point of view, &#8220;availability&#8221; means 2 things:<\/p>\n<ol>\n<li><strong>Disaster Prevention<\/strong>\u00a0\u2013 putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity.<\/li>\n<li><strong>Disaster Recovery<\/strong>\u00a0\u2013 assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if there is a disaster in the primary data center.<\/li>\n<\/ol>\n<p>Disaster Prevention is typically thought of in terms of \u201cHigh Availability\u201d \u2013 or redundant systems to assure that there is no single point of failure on the delivery of the application or data. Examples of high availability at the data center level include\u00a0<a href=\"https:\/\/otavawebsite.wpengine.com\/operations\/locations\/michigan-cloud-and-data-centers\/\/features\/high-availability-server-hosting\">high availability<\/a>\u00a0power delivery through redundant generators, uninterruptible power supplies (UPSs), power distribution units (PDUs), and redundant power supplies in the servers. With high availability power, the failure of any element (generator, UPS, or power supply) does not affect the availability of the application \u2013 since the entire infrastructure is redundant.<\/p>\n<p>Redundancy can also be delivered in the cloud server platform. For example,\u00a0<a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/cloud\/\">HIPAA compliant cloud<\/a>\u00a0servers run on redundant hardware hosts with multiple power supplies, multiple network connections to SANs, redundant controllers and redundant RAID drives. Again, any hardware failure or even complete shutdown of a hardware hosts will not affect the availability of the application and the PHI data.<\/p>\n<p>Disaster Recovery is typically thought of in terms of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is the amount of time it takes to spin up the servers, network, application and data as a separate data center in the case that the application is shut down from a disaster.<\/p>\n<p>RTOs can range from minutes to weeks depending on the technology selected. RPO is defined as how close to the disaster the data can be recovered, which is tied to how often the data is backed up. If backups are made every night, then the RPO is 24 hours (up to 24 hours of data can be lost). If continuous replication is used, the loss may be as short as a few minutes. The shorter the RTO and RPO, the better.<\/p>\n<p>As a minimum, all HIPAA applications should use <a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/data-protection\/cloud-backup\/\">offsite backup<\/a>. That way, if the production data center has a disaster or is destroyed, the PHI isn\u2019t lost. The backup should be located a significant distance away to assure the same disaster doesn\u2019t strike both sites. Every region of the country has a recommended best practices for geographic separation; in the Midwest, it&#8217;s at least 50 miles apart.<\/p>\n<p>For critical PHI, a warm site disaster recovery infrastructure is ideal. Warm site disaster recovery means that the entire server environment is replicated including operating systems, applications, data, network and firewall setttings so that it is ready and waiting to take over at a moment&#8217;s notice. Several years ago, warm site disaster recovery was difficult and expensive.<\/p>\n<p>Now, with the advent of cloud computing, disaster recovery has become very cost-effective. The advent of <a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/data-protection\/disaster-recovery-as-a-service\/\">Disaster Recovery as a Service<\/a> has made disaster recovery easier and more simple than before, with a service provider managing and maintaining all of the components that come with a proper disaster recovery site.<\/p>\n<p>When you evaluate meeting HIPAA availability requirements for your health care applications and PHI, ask two key questions:<\/p>\n<ol>\n<li>Is your application hosted in a high availability environment where the power infrastructure, servers and network infrastructure can sustain failures without impacting your application and PHI data?<\/li>\n<li>How will your application and PHI data survive a disaster at the production data center? Do you need only to recover your data with offsite backup, or do you need your application and data to be back online in as short a time as possible?<\/li>\n<\/ol>\n<p>How you answer these questions is critical to compliance with the availability criteria of HIPAA and the HITECH Act.<\/p>\n<p>Next week we will look at an organizations security training and knowing where to find your security policy documents.<\/p>\n<p>References:<br \/>\n<a href=\"https:\/\/otavawebsite.wpengine.com\/blog\/disaster-recovery-for-hipaa-applications-its-all-about-availability-of-phi\/\">Disaster Recovery for HIPAA Applications &#8211; It&#8217;s All About Availability of PHI<\/a><br \/>\n<a href=\"https:\/\/otavawebsite.wpengine.com\/reference\/hipaa-glossary-of-terms\/\">HIPAA Glossary of Terms<\/a><br \/>\n<a href=\"https:\/\/www.onlinetech.com\/resources\/references\/hipaa-resources-policies-procedures-and-training-materials\">HIPAA Resources: Policies, Procedures and Training Materials<\/a><\/p>\n<p>For\u00a0<a href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/hipaa-compliant-cloud\/\">HIPAA Compliant hosting<\/a>, call 877.740.5028 or email\u00a0<a href=\"mailto:contactus@onlinetech.com\">contactus@onlinetech.com<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>If disaster strikes, how long will it take before PHI is available again? Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster. HIPAA \u2013 The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI): availability, confidentiality and integrity. Of these, availability often takes second stage to security concerns, but in a real health emergency, is most important to patient health. Availability means that PHI is always available, accessible and never lost. When a patient arrives at the emergency room at three o\u2019clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient\u2019s records at her fingertips. Patient records in the health care world is no longer a 9-5 job \u2013 and one of the main drivers behind electronic health records (EHR) is the portability and availability of patients\u2019 records to health care providers around the clock. Availability also means that PHI isn\u2019t lost. HIPAA and the HITECH Act make Covered Entities and Business Associates responsible for making sure PHI isn\u2019t lost. For electronic records, this means offsite&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1760","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery | OTAVA<\/title>\n<meta name=\"description\" content=\"Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery\" \/>\n<meta property=\"og:description\" content=\"Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2012-02-13T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery\",\"datePublished\":\"2012-02-13T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/\"},\"wordCount\":921,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/\",\"url\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/\",\"name\":\"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2012-02-13T00:00:00+00:00\",\"description\":\"Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery | OTAVA","description":"Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/","og_locale":"en_US","og_type":"article","og_title":"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery","og_description":"Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.","og_url":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/","og_site_name":"OTAVA","article_published_time":"2012-02-13T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery","datePublished":"2012-02-13T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/"},"wordCount":921,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/","url":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/","name":"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2012-02-13T00:00:00+00:00","description":"Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associate-question-4-disaster-recovery\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Five Questions to Ask Your Business Associate: Question #4 Disaster Recovery"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1760"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1760\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1760"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}