HIPAA: Check your Backup and Restore Solution

BY Brian Rutledge

Despite the huge damage of a data breach in terms of cost, reputation, and business losses, backup and recovery systems are currently in use at only 45% of surveyed healthcare organizations, and more than 38% are not planning to use backup and recovery systems at all.

Why put yourself and your organization under the looming stress and liability of a PHI data breach? A HIPAA-compliant backup and restore solution can ensure your complete compliance and eliminate worry over data loss (not to mention saving you from costly fines and negative press).

HIPAA Backup and Restore

HIPAA puts the backup and restore accountability squarely on Covered Entities. According to HIPAA Rules, covered entities “must securely back up retrievable exact copies of electronic protected health information” and must be able to fully “restore any loss of data.” The Security Rule mandates that the backup should be frequent, encrypted, tested and stored offsite.

Furthermore, most CSPs recommend implementing a third-party backup solution to augment the protection they’re able to provide. Google support tells its users, “For non-email data recovery solutions, please consult the Google Workspace Marketplace, where one of our partners may have a solution suitable for your needs.” And Salesforce says, “We recommend that you use a partner backup solution that can be found on the AppExchange.”

How do you pick the right Backup and Restore solution? Here’s a list of HIPAA must-haves for e-PHI backup and restore.

HIPAA Check #1 Offsite Storage -> Cloud-to-cloud SaaS model

Choosing a cloud-to-cloud backup provider allows you to continue enjoying the cost-saving benefits that drew you to adopt SaaS applications. Instead of managing backups on-premises, an extremely time-consuming and error-prone activity, consider a cloud-based backup solution. They allow you to save time and money while managing backups effectively and allowing your IT team to focus on strategic endeavors.

HIPAA Check #2 Regular Backups -> Support for Automated and on-demand Backups

Automated backups allow you to “set it and forget it” as your backups will run automatically each day. On-demand backups enable manual backups to support data protection before major database or organizational changes are made.

HIPAA Check #3 100% Restore -> Fast and accurate recovery

We’ve outlined the huge costs of e-PHI data loss. Combine that with HIPAA compliance risk and related fines, and you have a perfect financial storm – unless fast and accurate data recovery is part of your evaluation process. Look for a backup and restore solution that can get your data back from any point in time in just a matter of clicks.

HIPAA Check #4 Audit Support -> Auditability and Immutability

HIPAA compliance requires that you ensure changes to e-PHI are auditable, and that there is an immutable record of data at a backup point in time.

HIPAA Check #5 Encrypt or Destroy -> Data encryption at rest and in transit

HIPAA says that data being transmitted must be encrypted and data at rest must either be encrypted or destroyed. This ensures the privacy and security of e-PHI with robust encryption.

HIPAA Check #6 Third-Party Compliance -> SOC 2 and HIPAA compliance

Every link in the chain related to e-PHI should be HIPAA-compliant and highly secure; and that extends to third-party vendors providing backup solutions.

If you are concerned with your organization’s compliance, data protection, and privacy of information, download our free whitepaper to: