What Is Your HIPAA Data Backup Plan?

By Marty Puranik, co-founder and CEO, Atlantic.Net.

Marty Puranik
Marty Puranik

The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.

The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.

When choosing a HIPAA compliant healthcare hosting service, it is important to understand the requirements of the HIPPA Security Rule. It demands a backup solution that adheres to the following criteria:

In order to meet these requirements, most healthcare organizations choose to outsource critical IT services to a third party. Meeting these criteria then becomes the responsibility of the MSP.

In order to achieve HIPAA standards, the MSP is expected to perform an assessment of the types and quantities of ePHI data to be managed, plus understand how the application stacks are used to store this data.

An appropriate backup schedule will be assigned to the relevant IT systems to ensure data integrity and data security. The schedules can vary, and in some circumstances, a daily backup performed at the end of the business day is satisfactory. In other circumstances, the backups need to be scheduled to the hour or minute.

The MSP will determine what type of backup media is to be used. Typically this is disk-based storage. Once successful backups have been achieved, the restore process must be tested. This will confirm the data integrity but will also test the backup engineer’s ability to restore data and how quickly the process takes to complete.

Typically, the following test procedures would be performed:

It is often recommended to healthcare organizations to delegate the backup and restore responsibilities to a compliant cloud or Backup-as-a-Service (BaaS) offering. To meet requirements, the BaaS is required to use offsite backup technology which will completely offload the ePHI healthcare infrastructure to an external location.

This is most frequently done by using site-to-site replication technology, or can even be achieved by shipping backup tape media to a compliant external location. As backup data is transferred externally over a network it is imperative to determine the network security provided by the MSP.

HIPAA legislation demands compliance on a number of networking techniques. Network traffic must utilize strong AES 256-bit encryption when transmitting externally. Remote client access must be managed by signed SSL certificates. This is usually achieved by using a secure and redundant VPN solution.

So far, we have discussed the compliance and technology requirements of a data backup plan. But to finish I will discuss what needs to be in your plan. Please note that there is no set template for a compliant data backup plan, however, it is essential to establish:

In summary, the data backup plan is a required stage of compliance and must form part of a contingency plan that meets HIPAA standards. Losing data has huge consequences, even-more-so for healthcare organizations who routinely handle sensitive and private data. If access to critical pharmacy systems, lab systems or EHR systems was severed, a healthcare practice would struggle to continue business operations. This risks damaging reputation and ultimately could risk patient lives.

Write a Comment

Your email address will not be published. Required fields are marked *