Is backup data must be stored according to HIPAA regulatory requirements True or false?

Quick answer: True. Under the HIPAA Privacy and Security Rules, healthcare organizations and their business associates must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit. This includes properly backing up ePHI and storing backup media securely.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This federal law includes provisions to protect the privacy and security of individuals’ health information. The main sections of HIPAA that relate to data backup and storage are:

  • The HIPAA Privacy Rule – establishes national standards for protecting the confidentiality, integrity, and availability of protected health information (PHI).
  • The HIPAA Security Rule – specifies safeguards that healthcare organizations, plans, and clearinghouses, as well as their business associates, must implement to secure the confidentiality, integrity, and availability of electronic protected health information (ePHI).

What is considered protected health information (PHI) under HIPAA?

Protected health information (PHI) refers to any information about an individual’s health condition or provision of healthcare that can be linked back to that individual. This includes demographic information such as name, address, birth date, and social security number. Under HIPAA, PHI can be in any form – electronic, on paper, or communicated orally.

Some examples of PHI include:

  • Names of patients and relatives
  • Addresses
  • Dates of birth, admission, discharge, death
  • Telephone and fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health plan numbers
  • Account numbers
  • License numbers
  • Vehicle identifiers
  • Device identifiers
  • Web URLs
  • IP addresses
  • Biometric identifiers (finger/voice prints)
  • Photographs
  • Any other unique identifying number, characteristic, code, etc

This PHI, if linked to an individual, must be protected under the HIPAA regulations.

What are the HIPAA requirements for data backup and storage?

The HIPAA Security Rule requires healthcare organizations and their business associates to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI).

This includes having procedures and security measures in place for proper data backup, storage, and disposal of ePHI and backup media. Some specific requirements include:

  • Conducting regular backups of ePHI to create retrievable exact copies
  • Verifying the integrity of backed up ePHI
  • Storing backup media securely, with access limited to authorized users
  • Using encryption to render ePHI unreadable, undecipherable, and unusable by unauthorized individuals
  • Appropriately managing keys and security codes used for encrypting backed up ePHI
  • Physically protecting media used to store backed up ePHI from damage and unauthorized access
  • Developing a retrieval process in case backup data needs to be restored
  • Safely transporting backup media to offsite storage facilities, if applicable
  • Destroying old backup media and hardware properly when no longer needed

These measures help ensure the confidentiality, integrity, and availability of ePHI throughout the backup process. HIPAA covered entities and business associates that fail to comply with the Security Rule’s requirements risk facing penalties and fines.

Backup and Storage Methods for HIPAA Compliance

There are various methods healthcare organizations can use to backup and store ePHI in a HIPAA compliant manner. Some common approaches include:

Encrypted Local Backups

Healthcare organizations can create encrypted backups of ePHI on local storage media like external hard drives, USB drives, CDs/DVDs, or tape drives. The encryption renders the ePHI unreadable without the proper cryptographic key. The media used should be encrypted with a strong algorithm like AES-256 bit and the encryption keys must be properly managed.

Offsite Cloud Backups

Cloud-based backup services provide offsite storage and recovery capabilities for ePHI. Healthcare organizations should ensure the cloud provider meets HIPAA compliance requirements through a Business Associate Agreement. The ePHI should be transmitted and stored encrypted in the cloud. Examples include services like Druva, Carbonite, and Barracuda.

Physical Media Storage

For local storage of backup media, healthcare organizations can use locked filing cabinets, safes, or other secure areas with restricted access. Fireproof safes and media rotation help protect from fire, flooding, and other environmental risks. Storing media offsite or in disaster recovery facilities improves availability.

Secure Data Centers

Colocation data centers can provide hardened secure facilities for healthcare organizations to store backups of ePHI. Features like biometric access, video surveillance, fire suppression, and resilient power systems help protect from unauthorized access and disasters.

Media Disposal and Destruction

HIPAA requires proper disposal of backup media when no longer needed to prevent unauthorized access to ePHI. Some options include degaussing, shredding, pulverizing, or incinerating. Healthcare organizations should maintain documentation demonstrating proper destruction.

HIPAA Data Backup Policy

To ensure HIPAA compliance, healthcare organizations should develop and implement a comprehensive data backup policy and procedures addressing areas such as:

  • Scope – What systems and applications will be backed up
  • Backup schedule – How often backups will be conducted
  • Retention period – How long backup data will be retained
  • Storage location – Where backup media will be stored onsite and offsite
  • Encryption – What encryption methods will be used
  • Access controls – Who can access and use backup media
  • Integrity checks – How backup integrity will be validated
  • Restoration procedures – Process to restore data from backup if needed
  • Testing – Regular testing of the backup process
  • Media transport – How backup media will be securely transported to offsite facilities
  • Media disposal – How old media will be securely destroyed

Documenting these backup policies and procedures in line with HIPAA requirements provides a consistent framework to safeguard ePHI throughout the data lifecycle.

Risk Analysis for Backup Systems

Under the HIPAA Security Rule, healthcare organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This includes evaluating risks associated with data backup systems and storage media.

Some factors to consider in a risk analysis include:

  • Hardware vulnerabilities like age, performance, redundancy
  • Software flaws, security patches, malware susceptibility
  • Backup capacities and frequencies
  • Potential for unauthorized data access or theft
  • Possibility of data corruption or loss
  • Media transportation and offsite storage risks
  • Compliance with backup best practices
  • Security controls like access restrictions, encryption, auditing
  • Site vulnerabilities like flooding, fires, temperature/humidity
  • Vendor or third-party managed services risks

Identifying and addressing any gaps or risks can help healthcare organizations select appropriate solutions, safeguards, and controls to lower their vulnerability.

HIPAA Compliance for Backup Service Providers

Backup service providers that create, receive, maintain or transmit PHI on behalf of covered entities must also ensure HIPAA compliance under the regulations.

Some requirements for backup service providers include:

  • Entering into a HIPAA Business Associate Agreement (BAA) with their customers
  • Conducting risk analysis of their backup systems and storage facilities
  • Implementing security controls like encryption, access management, audit logs
  • Developing data backup and recovery procedures
  • Maintaining appropriate disaster recovery and emergency operations plans
  • Conducting periodic technical and non-technical evaluations of HIPAA safeguards
  • Training staff on HIPAA policies and procedures
  • Reporting security incidents and data breaches as required

Adhering to these requirements as a HIPAA business associate can help backup service providers demonstrate their HIPAA compliance to covered entity customers.

Best Practices for HIPAA Compliant Data Backup

Some best practices healthcare organizations and their associates should follow to maintain HIPAA compliance when backing up ePHI include:

  • Conduct regular risk analyses and security assessments of backup systems
  • Encrypt all ePHI during transmission and at rest
  • Use remote wiping or destruction capabilities on lost/stolen media
  • Maintain documented backup and recovery procedures
  • Store media securely with strict access controls
  • Implement multi-factor authentication for media access
  • Use barcode/radio frequency identification (RFID) tracking for media
  • Perform periodic testing of backup and restoration
  • Enable detailed backup activity audit logging
  • Contract only with HIPAA compliant vendors
  • Destruction of outdated media through incineration, shredding, etc.

Following these best practices as part of an overall HIPAA compliance strategy can help covered entities and business associates protect the availability, confidentiality, and integrity of ePHI.

HIPAA Fines and Penalties

Under HIPAA, healthcare organizations can face substantial fines and penalties for non-compliance based on the level of negligence and nature of the violation. Some potential civil and criminal penalties include:

  • Fines of $100 to $50,000 per violation (capped at $25,000 to $1.5 million per year for repeat violations)
  • Criminal penalties from $50,000 to $250,000 fines and up to 10 years imprisonment for knowing misuse of data

Recent examples of HIPAA fines and settlements over improper ePHI backup handling include:

  • NY Spine Surgery & Rehab Medicine – $100,000 fine for allegedly failing to encrypt or properly secure ePHI backups
  • Anthem Inc. – $16 million settlement for not adequately encrypting ePHI data backups
  • MAPFRE Life Insurance – $2.2 million settlement for loss of unencrypted backup tapes

Given the substantial costs of non-compliance, it is critical for healthcare organizations to implement proper backup policies, procedures, and safeguards.

Conclusion

Maintaining the privacy and security of protected health information is imperative for healthcare organizations. The HIPAA regulations require covered entities and their associates to implement safeguards for backing up and storing ePHI. Organizations must conduct risk analysis, encrypt data, manage media properly, retain backups appropriately, and dispose of outdated media securely. Following HIPAA compliant data backup best practices, policies, and procedures is necessary to avoid penalties in case of a breach or violation.