HIPAA security rule and backups

HIPAA Compliant Backup & Disaster Recovery Strategies for Healthcare Organizations

Healthcare organizations have a long list of guidelines to follow to keep patient data and electronic protected health information (ePHI) private and secured and also maintain compliance with HIPAA. “ePHI” includes all patient information, including diagnostic and medical information, accounting data, and documentation such as x-rays and images.  

If you are in the process of evaluating or upgrading the backup solution for your healthcare organization, you may be wondering what features to look for to ensure HIPAA compliance.  The HIPAA security rule has guidelines in place to make sure that patient data and ePHI is backed up and that this data can be restored in the event of an incident. These requirements are included in the HIPAA Security Rule and allow for some flexibility of approach.  

HIPAA security rule and backups

Here are some key excerpts from the HIPAA Security Rule as it pertains to backups and disaster recovery:

  • CFR 164.306 (a)(1) all covered entities must “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.” 
  • 164.308  (a)(7)(i) “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” 
  • CFR 164.308 (7)(ii)(A) all covered entities must  “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” 
  • CFR 164.308 (7)(ii)(B)Disaster recovery plan (Required). ”Establish (and implement as needed) procedures to restore any loss of data.”

For Healthcare Organizations Backups Are Required! Here is What to Look For.  

Backups that comply with HIPAA Security Rule


In the event of an emergency that impacts your data stored at your primary location, you need to be able to restore data. Offsite backups, whether in the cloud or at a secondary location, are required. 

Frequent Backups

Data should be backed up as frequently as possible, at minimum, once per day.  


Encrypt electronic patient data both at rest and in transit with 256bit AES encryption and use two-factor authentication for access. 

Data Center Security

Off-site backups need to be stored in a secure facility with limited access and 24 x 7 x 365 security and surveillance. If the secondary backup location is in the cloud, the data center should follow standards such as SOC2.  

Limit & Control User Access

Only users and employees that require access to the backups should have access. User authentication methods should be used to verify or deny that access.

Monitoring & Reporting

Backups need to be monitored, regular reports generated and alerts flagged in the event of a backup failure.

Data Restoration

Backup solutions should offer business continuity and disaster recovery so data can be restored easily and quickly.

Data Retention

The HIPAA security rule does not provide guidance for the period of retention for ePHI, however they require retention of documentation for 6 years from the date it went into effect.  


StillPoint Systems

Glendale, CA

818 528 5600



Monday  8:00 am–5:00 pm
Tuesday  8:00 am–5:00 pm
Wednesday  8:00 am–5:00 pm
Thursday  8:00 am–5:00 pm
Friday  8:00 am–5:00 pm