2

I am planning system upgrades at several Group Practice doctor offices.

I am asking them questions concerning what their RTO (Recovery Time Objective) and RPO (Recovery Point Objective) may be so I can balance their budget with those objectives.

What I am wanting to know from ServerFault, does HIPAA have rules concerning the RPO and RTO for patient medical data?

I understand that if an office is audited and a patient was billed for a procedure, but the medical record is missing, the office could be fined up to $10,000 per patient. I do not know if that is a real fine, but it does lead me to include in the calculations potential fines and not just the potential loss in revenue a typical business may have.

Thank you,
Keith

Zoredache
  • 128,755
  • 40
  • 271
  • 413
Keith Sirmons
  • 740
  • 3
  • 13
  • 23

1 Answers1

2

I don't think they regulate that, presumably the office would have downtime procedures for capturing records on paper that would later be entered in the system after the upgrade is complete. HIPAA doesn't care if the system is up or not, just that you can produce the records when required, and that they are kept securely.

SqlACID
  • 2,166
  • 18
  • 18
  • 1
    HIPAA does not mandate RTO/RPO directly. It DOES mandate that the records must be stored securely and be available on proper request, therefore practically the RPO is "last record entered/updated", but most places I've seen work with a 1 day recovery point. – voretaq7 Jan 31 '10 at 20:21
  • 1
    The problem occurs when you are a paperless business and your recovery data is 24 hours old. There are no intermediate paper records to "produce when required". – Keith Sirmons Jan 31 '10 at 22:32
  • In that case a common scenario is to have a read-only server that is updated daily; makes a great server for reporting too, but obviously it will cost some money. – SqlACID Feb 01 '10 at 00:17