Healthcare Business Management Association - HBMA
Leading the Business of Healthcare Login
Public News Public News - HBMA Healthcare Business Management Association

The Truth about HIPAA-HITECH and Data Backup

An article by Bob Chaput taken from the March/April issue of HBMA Billing


This article sets the record straight on a very specific aspect of the HIPAA Security Final Rule: the Data Backup and Disaster Recovery Specifications within the contingency plan standards. We separate myth from reality about what exactly is required of whom and by what dates Covered Entities (CEs) and Business Associates (BAs) must comply with these specifications.

Most small-to-medium CEs and BAs have little or no skills, knowledge, and experience when it comes to information technology in general and information security matters in particular. In a nutshell, information security is about ensuring three attributes of information or data: confidentiality, integrity, and availability. The Data Backup and Disaster Recovery Specifications are about ensuring availability of Protected Health Information (PHI).

HIPAA Security Rule and The HITECH Act

The HIPAA Security Final Rule, the last of the three HIPAA rules, was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most CEs had two full years - until April 21, 2005 - to comply with these standards. A majority of covered entities, especially providers, did not comply by that date and are still non-compliant. Now, as a result of the HITECH Act, BAs, including medical billing companies, must comply fully with these laws as well.

The Truth, Then, and Nothing but the Truth about Data Backup

  • It's not optional - All CEs, including medical practices and BAs, must securely back up "retrievable exact copies of electronic protected health information" (CFR 164.308(7)(ii) (A)).
  • Your data must be recoverable - Why else are you backing it up? You must be able to fully "restore any loss of data" (CFR 164.308(7)(ii) (B)).
  • You must get your data offsite - as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup and disaster recovery plan that stored backup copies of ePHI in the same location as the original data store?
  • You must back up your data frequently - as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). In today's real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event if one had to recover from yesterday's data backup.
  • Safeguards must continue in recovery mode - The same set of security requirements that applies under normal business operations must also apply during emergency mode. CEs and BAs cannot let their guard down (CFR 164.308(7)(ii) (C)).
  • Encrypt or Destroy - HITECH says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act). HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)). Many CEs and BAs fail in this area because tape- or disk-based backups are moved around freely, unencrypted.
  • You must have written procedures related to your data backup and recovery plan - Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule.
  • You must test your recovery - Backup is useless if your recovery fails, therefore the law requires that you "Implement procedures for periodic testing and revision of contingency plans." (CFR 164.308(7)(ii) (D)). Unfortunately, testing tape-based or disk-based recovery can be time-consuming, so most companies rarely do it.
  • Non-compliance penalties are severe - Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.
  • Now is the time to act - CEs have been subject to the HIPAA Security Final Rule since April 2005. BAs were statutorily obligated to comply by February 2010.

Last Line of Defense

We believe that having a rock-solid data backup and recovery solution in place may serve as a last line of defense for many CEs and BAs striving to be compliant with the laws. Losing data is one matter; not having "exact retrievable copies" as required by law is another. The ultimate embarrassment may be, however, trying to explain in a court of law following a data breach event that one has no way to notify affected individuals because one has no idea who they are because there is no data backup copy.


This discussion and its references are not legal advice. Consult qualified counsel for any legal issues that concern you, your organization, or questions of compliance.

Related Searches: HIPAA, HITECH, Data Backup, Disaster Recovery