What are HIPAA Data Backup Requirements?

Modified on Wed, 16 Jul at 5:10 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses HIPAA Security Rule data backup requirements.

Where Does HIPAA Address Data Backup Requirements?

HIPAA addresses the subject of data backups in the Security Rule contingency plan standard. This standard is an administrative safeguard requirement

45 CFR 164.308(a)(7)(Ii)(A) is the data backup plan requirement. It provides: “Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”  

Is there a Data Backup Frequency Requirement?

The HIPAA Security Rule does not contain a data backup frequency requirement. In other words, there is no Security Rule provision that states how often backups must be performed - e.g., daily, weekly, monthly, etc. 

Per HHS guidance, a data backup plan should be focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.

The backup frequency must be appropriate for an organization's environment (pp. 19-20). Organizations should have a plan for determining
 which data is critically needed, and for creating retrievable, exact copies of critical data and how to restore that data, including from alternate locations. The plan should be tested and revised, as needed.  

Can I Hire Someone to Manage Data Backup?

Small healthcare providers might seek to hire a managed service provider to manage data backup (page 3). Leveraging the cloud for backup purposes is acceptable if there are service and business associate agreements in place with the vendor. Covered entities should emsure compliance with agreements through verifying the security of the vendor’s systems. Data being backed-up should be encrypted prior to storage to a cloud vendor’s system (page 21).

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article