What is HIPAA Offsite Data Backup?
For healthcare providers, backing up data plays an essential role in decreasing the likelihood of losing essential data in the event of a breach. The issue of HIPAA offsite data backup is discussed below.
HIPAA Offsite Data Backup: Types of Backup
The administrative safeguard requirement of the HIPAA Security Rule requires covered entities and business associates to develop a contingency plan. In a contingency plan, an organization establishes and implements policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems containing ePHI. A data backup plan is a required element of a contingency plan.
Creating a data backup plan requires an organization to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. These copies can be stored at an organization’s physical location – as “onsite” data. Backed up offsite data, in contrast, is data backed up at a remote location, either at a remote data center, or through the cloud.
Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.
HIPAA Offsite Data Storage: Cloud Centers
Organizations are moving away from remote data center backup to another type of offsite data storage: cloud-based backup. Cloud backup is a storage strategy that makes an identical copy of existing PHI and then transfers that information through the Internet to an offsite server. The data can then be retrieved or recovered from any location that has an Internet connection.
Once an organization selects a cloud backup vendor, the vendor installs a software package on the organization’s computer system. The organization selects what files and folders it wants backed up. The first backup is then performed. The software then runs “behind the scenes,” continuously, saving and storing updated data on a recurring basis.
Cloud backup should not be confused with the term “cloud storage.” Cloud backup is a software-based solution that automates the backup process. Cloud backup plans have large data capacities.
HIPAA Offsite Data Backup: Security Rule Requirements
Covered entities must comply with the HIPAA Security Rule. Before a covered entity chooses a data backup solution, the covered entity should vet the potential vendor, to ensure the vendor’s practices are in line with what the HIPAA Security Rule demands. If the covered entity is assured that the vendor will properly safeguard its ePHI, the covered entity must then enter into a signed business associate agreement with the vendor.
In addition, organizations must document their backup policies and procedures. Backup policies and procedures should:
- Identify the databases containing ePHI
- Identify email systems containing ePHI
- Identify the technical, physical, and administrative safeguards the organization has in place to ensure backups run smoothly
- Include documentation of backup frequency
- Contain a process for periodic review of the cloud backup provider’s compliance with the business associate agreement
In addition, backed up cloud data must be given the same HIPAA treatment as backed up data stored at an offsite location. “The same HIPAA treatment” means that this data should be encrypted. The cloud solution must provide audit and access logs, and ensure that access is restricted to authorized users.