DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses HIPAA Security Rule data backup requirements.
Where Does HIPAA Address Data Backup Requirements?
HIPAA addresses the subject of data backups in the Security Rule contingency plan standard. This standard is an administrative safeguard requirement.
45 CFR 164.308(a)(7)(Ii)(A) is the data backup plan requirement. It provides: “Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”
Is there a Data Backup Frequency Requirement?
The HIPAA Security Rule does not contain a data backup frequency requirement. In other words, there is no Security Rule provision that states how often backups must be performed - e.g., daily, weekly, monthly, etc.
Per HHS guidance, a data backup plan should be focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.
The backup frequency must be appropriate for an organization's environment (pp. 19-20). Organizations should have a plan for determining which data is critically needed, and for creating retrievable, exact copies of critical data and how to restore that data, including from alternate locations. The plan should be tested and revised, as needed.
Can I Hire Someone to Manage Data Backup?
Small healthcare providers might seek to hire a managed service provider to manage data backup (page 3). Leveraging the cloud for backup purposes is acceptable if there are service and business associate agreements in place with the vendor. Covered entities should emsure compliance with agreements through verifying the security of the vendor’s systems. Data being backed-up should be encrypted prior to storage to a cloud vendor’s system (page 21).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article