I am planning system upgrades at several Group Practice doctor offices.
I am asking them questions concerning what their RTO (Recovery Time Objective) and RPO (Recovery Point Objective) may be so I can balance their budget with those objectives.
What I am wanting to know from ServerFault, does HIPAA have rules concerning the RPO and RTO for patient medical data?
I understand that if an office is audited and a patient was billed for a procedure, but the medical record is missing, the office could be fined up to $10,000 per patient. I do not know if that is a real fine, but it does lead me to include in the calculations potential fines and not just the potential loss in revenue a typical business may have.
Thank you,
Keith
I don't think they regulate that, presumably the office would have downtime procedures for capturing records on paper that would later be entered in the system after the upgrade is complete. HIPAA doesn't care if the system is up or not, just that you can produce the records when required, and that they are kept securely.