This entry is part 45 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

(A) Data backup plan (Required).  Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Tell Me More:

The Data Backup Plan implementation specification requires covered entities to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information (EPHI). A data backup plan is a documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information.

The final security rule addresses the need for each entity to have a Data Backup Plan to respond to an emergency or other occurrence, including fire, vandalism, system failure and natural disaster.  The Data Backup Plan will be scalable depending on the organization.  Within the Data Backup Plan, the rule addresses data backup plans, disaster recovery plans, emergency mode operation plans, and testing and revision procedures.

The final rule empowers each entity to determine its own risk in the event of an emergency that would result in a loss of operations. A Data Backup Plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given Data Backup Plan will depend upon the nature and configuration of the entity devising it.  In addition, depending upon the size, configuration, and environment of a given Covered Entity or Business Associate, the entity should decide if testing and revision of all parts of a Data Backup Plan should be done or if there are more reasonable alternatives. The same is true for the proposed applications and data criticality analysis implementation feature.

The Data Backup Plan is necessary to assure the continued capabilities of the organization by guarding against unforeseen events.  Effective data backup and recovery is clearly essential, as without this information operations are directly impacted.  Asset management and criticality analysis facilitate the Data Backup Plan and execution processes, while ensuring resources are spent wisely.  Data Backup Plans are typically the last priority of many busy organizations; however, there is no replacement for them and they are invaluable when the need arises.

Industry best practices focus on the feasibility of Data Backup Plan.  Often plans that look good on paper do not reflect the reality of an actual occurrence.  If the plans are disseminated appropriately to the workforce, but not understood, they will be of little value.  Diligent testing and revision of plans as well as collaboration of IT staff and operational staff is critical to identifying flaws and gaps, as well as providing workforce members the valuable practice they need.

For more information, read “The Truth about HIPAA‐HITECH and Data Backup“.


Questions to consider:

  • Has all of the ePHI in the organization’s systems been identified? This is the first step in backing up data and should be addressed in a PHI inventory.
  • Is there a defined documented process outlining how staff perform the backup and validate its content (integrity of data)? A written procedure is necessary to ensure the organization has a complete and appropriate process.
  • Is the backup performed on a regular basis? Each organization will have to determine what is reasonable. In most organizations it is likely that daily will be considered reasonable.
  • Does the organization perform routine testing of use of the backup media to assure the process and media is in working condition? It is important to verify data actually can be restored from the backups.
  • Is backup information stored off the premises of the organization, preferably in a separate geographic location? If not, consider such storage. Make sure the offsite storage is secure.
  • Does the backup solution ensure compliance with all other aspects of HIPAA Privacy and Security Final Rules?



Series Navigation<< 164.310(a)(2)(iii) Standard: Facility access controls – Access control and validation procedures164.308(a)(3)(ii)(C) Standard: Workforce security – Termination procedures >>