What Should a HIPAA Data Backup Plan Look Like?

The data backup plan is a required administrative safeguard of HIPAA legislation that was introduced in the Security Rule amendment of 2003. The plan is an operating procedure typically handled by a HIPAA compliant hosting provider, and it normally forms part of the wider disaster recovery and business continuity planning.

The purpose of the data backup plan is to ensure that exact digital copies of Protected Health Information (PHI) are saved using a predefined backup schedule that can guarantee the integrity and recoverability of the data. The covered entity and the managed service provider must provide a data retention policy and offer offsite storage for replica copies of data.

Some providers achieve this using tape backup, but it has become increasingly popular to hold backup data on secure, redundant, geolocated storage systems. Data is replicated from the source location to at least one other offsite location, and regular test restores should be conducted to confirm the validity of the backup data.

What is in the Data Backup Plan?

Before the completion of the backup plan, a risk assessment must be undertaken to determine the whereabouts of electronic PHI on the existing technical solution. It must be determined what PHI data is currently backed up and what PHI data (if any) is not being backed up. The analysis is used to create a roadmap defining what requirements are needed to achieve compliance and a backup, recovery, and testing strategy should be determined.

The plan will state who is responsible for ensuring that exact, retrievable copies of backup data are made. Most healthcare organizations choose to outsource this responsibility to a managed service provider who has to guarantee the confidentiality, integrity, and availability of PHI.

A backup schedule is created and published stating what servers are backed up, and whether that schedule is hourly, daily, weekly, monthly, or annually. The type of backup is also defined, be it an incremental, a full backup, or a one-off backup. It must be documented if the backup is a File Level Backup, a VMLevel Backup, or an Application-level backup.

The managed service provider works with the covered entity to identify the critical servers within the infrastructure. Occasionally an individual backup schedule may be needed, for example, a file server that is accessed 24/7 and is utilized by staff and other core infrastructure servers may require an incremental backup of every 2 - 4 hours.

The data backup plan must be an automated task, monitored by support staff for incidents such as a failure or a missed backup with detailed reporting enabled. Some organizations purchase a managed service offering to utilize support staff to monitor and resolve any backup failures, for example, re-running a failed backup at an appropriate time, or escalating a problem to senior management out of hours.

Detailed logging is enabled in the plan, the logs are securely stored, and only retrievable by authorized personnel. The logging must include the start and end times of the backup, the server name, size of the backup, and the backup storage locations of the primary and replicated secondary locations. Logging highlights can be reported on and automatically emailed if necessary.

Additional Safeguards for a data backup plan

Many of the physical, administrative, and technical safeguards of HIPAA directly influence the data backup plan. Backup data must be encrypted at rest and in transit, it must be protected by authentication safeguards using unique multi-factor authentication and a rigid access control list (ACL). An ACL that uses role-based rules to ensure users are restricted access on a need-to-know basis following a “least privileged” design philosophy.

Documentation plays a massive part in the data backup plan, many documents must be created and maintained, such as a backup policy, schedule, backup process, restore process, how backups work in a disaster recovery scenario, and a contingency plan.

Data Retention and Data Destruction

Understanding how long PHI data can be kept and ultimately destroyed is a very important part of the data backup plan. The is no expiry date defined in the HIPAA legislation, but it is expected that all business associates will work together to define the retention period. Importantly, there are different rules depending on which state the data is kept in, some states may advise three years of retention (Nevada), others may demand 11 years (South Carolina).

The PHI backup will eventually be deleted and overwritten once the retention period has been met. Storage systems will overwrite in zeros making recovery near impossible. If a hard disk fails on a backup server, clear guidelines need to be stated on how the media is securely destroyed. Certificated destruction is recommended where disk drives are usually shredded onsite.

To conclude, the data backup plan must include the key points mentioned here. The risk assessment is the foundation of the entire backup-as-a-service offering. Understanding what databases, applications, and file servers are backed up and where PHI is located underpins the entire process. Regular reviews of the backups and confirming that all the required drives per server are being replicated is essential.

Testing the data backup plan as part of a disaster recovery plan should take place every year. This disaster recovery test will offer a real-world scenario of what will happen when critical PHI needs restoring. Importantly, after the test, any concerns or issues experienced must be documented and another roadmap created to remedy the actions in the near future.


Chase Higbee, Lead IT Strategist, Atlantic.Net