HIPAA Security Compliance 101 - Lesson 1

HIPAA Compliant Backups

Published on

March 31st has been declared “World Backup Day.” While we’re sure this will be used by backup companies for marketing purposes, we recommend that all of our customers take a moment and think about whether their critical data is being securely backed up.  Servers often get backed up automatically by the IT department, but what about your laptops, tablets, and smart phones?  What about your saved email? When was the last time these were backed up?

In addition, your backups must also be “HIPAA Compliant.”  Here is a simplified description of what this means:

Follow these simple steps and you will sleep better at night knowing your data is safe and that you will sail thru a HIPAA audit of your backup policies.

  • Comprehensive – Make sure ALL data critical to your operations are backed up.
  • Routine – A daily backup is often adequate; increase frequency where this is not adequate.
  • Secure – Backups containing PHI must be secure.  Although not required by HIPAA, we suggest encrypting your backup using a HIPAA-approved encryption algorithm, such as AES-256.
  • Remote – For disaster recovery, make sure a secure backup copy is stored in a remote location.
  • Retained – Establish a retention policy to make sure “older” data can be recovered.
  • Tested – Periodically do a test restore to make sure your backup and restore procedures work and contain all your critical data. 
  • Reliable – If possible, make your backups 100% automated.  Avoid manual steps as someone will eventually forget or make a mistake.  This step is optional, but highly recommended.
  • Documented – As with all aspects of HIPAA, you need to put this in writing.  Review it with others in your organization to make sure nothing has been overlooked.

Don’t hesitate to contact CPS at if you have questions.