If you’re in charge of data operations for a HIPAA-covered entity, you may have questions about your obligations regarding data backup and disaster recovery under HIPAA compliance. In this article, we’ll explore the HIPAA requirements for data backup so that your organization can be ready with a disaster recovery plan.

In This Article


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its subsequent amendments were enacted into law to protect patient healthcare data, also known as Protected Health Information (PHI); HIPAA protections also apply to Electronic Health Records (EHR) – PHI stored on computers. Managed service providers who maintain HIPAA compliance must adhere to several stringent regulations that are designed to limit the exposure of confidential or sensitive patient information from unauthorized access.

HIPAA’s Online Data Backup and Retention Requirements

There are two specific criteria that relate to data backups and data retention within HIPAA legislation. These are referred to as the Data Backup Plan and Retention Period. Each of these criteria contains several physical, technical and administrative safeguards which must be in place for an MSP to qualify as HIPAA compliant. These safeguards relate to what type of data is stored, how data is stored or transferred, and how long data is retained.

HIPAA-Compliant Data Backup Plan

HIPAA’s data backup plan criteria are essentially the rules on how a compliant MSP will back up healthcare data. The data backup plan is part of a wider contingency plan or HIPAA compliant disaster recovery strategy which will protect the healthcare organization’s data and infrastructure in the event of a major system failure or disaster situation.

HIPAA regulations require the managed service provider to implement a full backup schedule of the entire healthcare infrastructure containing patient data as well as any systems that handle any type of electronic protected health information (ePHI). Examples of such ePHI are patient details, diagnostic images, medical records, accounting information, or any other relevant healthcare documentation stored digitally.

The MSP or healthcare organization must back up data frequently (at least daily) and maintain weekly, monthly, and annual archives. All data is stored in a secured data center location on physical media (normally disk or tape). The HIPAA-compliant backup solution must be protected by encryption and offer the following safeguards:

  • Data Redundancy – Data should be securely stored in at least 2 disparate locations, and it is often recommended to have at least 3 copies of current data – for example, a copy for Production, UAT, and disaster recovery. This can be achieved by using automated site-to-site disk replication technologies such as a data domain or other disk-based solutions. A like-for-like encrypted copy of the production data will be copied from site A to site B.
  • Data Encryption – Any data stored in a digital format and hosted on HIPAA compliant infrastructure must be encrypted with a 256bit AES encryption standard and a two-factor authentication mechanism. This ensures that only the healthcare organization has access to electronic patient information, significantly reducing the risk of unauthorized access. Common devices for encryption include PKI secure cards and RSA tokens.
  • Data Transfers – Any data that is transmitted over public networks, such as using a VPN over an internet connection or network traffic from a backup node to a public cloud provider, must be encrypted with 256-bit AES and two-factor authentication. This method of encryption protects network traffic and makes it extremely difficult to intercept and decipher any usable information.
  • Data Restoration – The Managed Service Provider must be capable of restoring backup data to its original or a new location. This process of continuous data protection (CDP) must be regularly tested, usually by performing ad hoc test restoration, thus proving to auditors that the requirements of data integrity are met. A robust and reliable backup solution is essential to meet this requirement.
  • Data Monitoring – Backup services must be monitored to report backup failures or replication issues, and problems may require manual intervention to resolve, but the logging of incidents should be automated.

The protection of healthcare data must be the cornerstone of a HIPAA-compliant hosting service provider. Protected health information (PHI) must be stored and transmitted with the highest level of sensitivity and security. In addition to the requirements for a HIPAA-compliant data backup plan, managed service providers (MSPs) must also adhere to the following safeguards in order to protect backup data:

HIPAA Backup Physical Safeguards

  • Data Center Security – Data centers must be resilient, secure compounds manned 24x7x365 by security personnel. The data center must also be protected by access control measures so that only authorized users can enter the data center. It is also recommended that all service provider employees submit to security screening prior to employment.
  • Access Control – The service provider must enforce strict facility access controls and workstation security policies and actively manage device and media control systems (such as mobile phones and USB sticks).
  • User Account Control – Local and remote access to server infrastructure must be protected by a stringent security policy applied to user accounts and groups. Policies should be created to ensure access is restricted and only available on a need-to-know basis. This affects both administrators and standard users.

HIPAA Backup Infrastructure Safeguards

  • Infrastructure security – The disk arrays where patient information is kept or backed up, as well as the entire server infrastructure, must be protected with strict access control measures, including actively audited user account access to the protected infrastructure. Data should also be protected with complex security algorithms to safeguard data integrity.
  • Geofencing – Network-level geofencing allows or denies access to infrastructure based on the requesting IP address range. This safeguard protects against unauthorized access to patient data based on the user location and can stop data from going to any unauthorized external sources. Geolocation and tracking should be enabled to discover and report on any remote devices with access to ePHI (such as laptops) in case items are lost or stolen – most AV solutions provide this feature.
  • Tamperproof logging – The MSP must be able to create audit trails for users and administrators. These logs should not be editable by admins. This allows for sophisticated monitoring to detect trends and patterns of data and system usage.

HIPAA Backup Data Retention Period

The second required criterion is the HIPAA data retention period requirement, which refers to how long data must be kept in its digital format. Retention can be a difficult and often confusing subject, as there is no specific HIPAA rule for medical records retention. That is defined by US state law only. However, retention records for action, activity, or assessment are required by HIPAA.

The HIPAA Journal sums up the retention requirements well, stating that “HIPAA compliance stipulates the documents must be retained for a minimum of six years from when the document was created, or – in the event of a policy – from when it was last in effect. Therefore, if a policy is implemented for three years before being revised, a record of the original policy must be retained for a minimum of nine years after its creation.”

The HIPAA Journal and Linford & Co both suggest that the following types of electronic documents are covered by the six-year retention policy.

  • Risk Assessments and Risk Analyses
  • Disaster Recovery and Contingency Plans
  • Business Associate Agreements
  • Information Security and Privacy Policies
  • Incident and Breach Notification Documentation
  • Physical Security Maintenance Records
  • Logs Recording Access to and Updating of PHI
  • IT Security System Reviews (including new procedures or technologies implemented)

There is no definitive list, and we recommend that you work with your business associates to determine retention requirements.

Service providers must not only adhere to these retention rules but also provide adequate plans on how data will be destroyed after the retention period has passed. Some IT service providers’ policies may keep data permanently, either in decommissioned storage LUNs or locked in a fire-safe, but HIPAA demands compliance with how data is securely erased when the time comes, whether due to hardware error (such as a failed disk) or if the retention period passes. Typically, this would require the service provider to produce certified evidence that the data has been destroyed, which can be presented to auditors.

How Can You Achieve a HIPAA-Compliant Backup Solution?

The rapid growth of data, shrinking backup windows and budgets, scaling issues, and multiplatform environments currently in place in the healthcare industry all present significant challenges for server administrators. Atlantic.Net seeks to help. Through our powerful Server Backup Manager – a fast, affordable platform for both Linux and Windows – we perform backups either daily or in real-time for each of our HIPAA clients. Incremental backups are done at the block level for advanced speed, and clients have full control over when, where, and how their data is stored. Data is by default kept in our SSAE 16 Type II Orlando data center, secured through both on-site measures and by a suite of powerful and robust security software.

In addition to a host of customization options, our backup platform is also equipped with robust monitoring tools, portable backups, point-in-time snapshots, and the ability to perform a bare-metal restore at any point in time. We support backups for the majority of virtualized platforms, as well as a wide range of SQL servers and databases.

Ready to set up a HIPAA-compliant data backup solution? Contact Atlantic.Net today to learn how we can help!