It’s hardly surprising that HIPAA regulations require covered entities to back up their data. In order to achieve HIPAA backup compliance, however, organizations will need to do more than just create backups. Here are a few things to consider.
One of the main HIPAA data protection requirements is that organizations must store backup copies off-site in a location that is physically separate from the original data. When the Department of Health and Human Services crafted the regulation, the technology available at the time meant organizations typically had to make a tape backup and ship it off-site. Today, cloud backups have become the norm. While there is nothing wrong with using cloud backups, copies of working data sets must be stored in a different location.
If, for example, data is stored in the Amazon cloud, then it would be wise to back the data up to the Microsoft cloud or to another non-Amazon cloud. Incidentally, there is no rule against creating multiple backup copies, which means that organizations could conceivably have a backup copy in the same cloud where highly active data resides, for convenience, while saving a secondary backup copy in another cloud to satisfy HIPAA’s off-site requirement.
Be sure to encrypt
Another important HIPAA requirement is that organizations must encrypt backups. In the days of tape backup, this primarily meant writing encrypted data to tape. In the cloud era, backups must be encrypted at rest and in flight. This means that businesses cannot transmit backup data in an unencrypted format, nor can the backup files reside on unencrypted storage.
Document backup processes
In addition to maintaining basic backup security, HIPAA also requires documentation of backup policies and procedures. It is important to create and maintain backups in accordance with any pre-documented written procedures. If an organization is ever subjected to a HIPAA compliance audit, then the auditors will check to make sure that backup policies and procedures have been thoroughly documented. They will also check to ensure that backups are being created in accordance with the documentation. If the way backups are created or maintained by the organization changes, it will also need to update documentation of those procedures.
Don’t forget testing
When formulating backup policies and procedures, make sure to address the issue of backup testing. There are two reasons for this.
First, HIPAA regulations mandate that backups be fully recoverable. An organization can incur millions of dollars in fines if it is unable to fully restore a backup within 30 calendar days after receiving a request for data. Organizations may receive an additional 30 days, but they must provide the requester of the data a written statement as to why data could not be restored within the initial 30-day period. This alone should be enough to make backup testing a priority.
Second, HIPAA requires covered entities to test their backups. In fact, organizations are required to document their testing procedures, which includes how often tests are performed, and the procedure in place for revising the organization’s contingency plans if backup tests reveal a problem.
Finally, it’s critical to review HIPAA’s backup requirements. These requirements are outlined in Part 164 of the HIPAA regulations.