how "HIPAA" some of these other off-site back-ups are?
Finding the exact rules relating to this on the HIPAA website
(
http://www.hhs.gov/ocr/hipaa/ ) is a little time consuming but I did end up locating them.
Short answer is yes, these outside services do comply with HIPAA requirements.
The requirements can be found in the Security Final rule section of the HIPAA website:
http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdfIn the 49 page treatise there is a section on "Technical Safeguards" which describes the need for "Access control; Audit controls; Authorization control; Data authentication; and Entity authentication". Also needed for actual communication of data were "Integrity controls; Message authentication; Access controls; Encryption; Alarm; Audit trails; Entity authentication; and Event reporting". If you want to read the specifics, it is found around page 24/49.
Each of the external backup offerings meets the intent of the above requirements. Of course, it is incumbent on each practice to keep their ID/passwords private and not turn off the encryption features.
