How to Build a HIPAA Compliant Backup and Recovery Plan

How to Build a HIPAA Compliant Backup and Recovery Plan

A HIPAA compliant backup and recovery plan is a mandate for your organization. If you have a data backup and disaster recovery plan for your most critical infrastructure and data, then this will help keep your organization’s operations running smoothly in any critical situation.Health Insurance Portability and Accountability (HIPAA) and its Privacy and Security Rules play a vital role in shielding the private health data of patients. The Department of Health and Human Services (HHS) regulates the HIPAA compliance, and Office for Civil Rights enforces it.

What is HIPPA Compliance?

The Health Insurance Portability and Accountability Act of 1996, termed as HIPAA, is a sequence of regulatory standards that plans the lawful usage and revelation of protected health information (PHI). Now, PHI is a piece of demographic information (name, addresses, financial information, medical reports, and social security numbers) of a HIPAA beholden entity.

Any kind of information be it a medical record, financial statement or vital data of any organization, the base requirement for all such data is a robust backup and disaster recovery solution. Additionally, if the organization or healthcare institution is HIPAA compliant then no need to worry about any vital information. Let us have a look at which kind of organizations need to be HIPAA Compliant.

Which Type Of Organization Needs to Be HIPAA Compliant?

Covered Entities:

According to HIPAA regulation, a covered entity is any organization that collects, creates, or transmits PHI electronically. For instance, health care organizations are covered entities that include health care providers, health insurance providers, and health care clearinghouses.

Business Associates:

A business associate is an organization that encounters PHI in any form during the time of its work, which is performed in or on behalf of the covered entity, and this is governed by HIPAA regulation.

There are many examples of business associates but the ones affected by the HIPAA rules. These include physical storage providers, IT providers, cloud storage providers, practice management firms, third-party consultants, EHR platforms, faxing companies, billing companies, shredding companies, email hosting services, attorneys, accountants, and many more.

Requirements for HIPAA Compliance

Let us have a look at a set of national standards that HIPAA regulation outlines for the covered entities and business associates:


Covered entities and business associates need to conduct annual audits of their organization to assess technical, physical and administrative, gaps in compliance with HIPAA Privacy and Security standards. A Security Risk Assessment is not just a requirement to be compliant; it is only one of the essential audits for HIPAA-beholden entities.

Implementation of Remediation Plans

After identifying the gaps in compliance through self-audits, the covered entities and business associates must implement remediation plans to reverse compliance violations. They must document this remediation and include calendar dates by which gaps will be improved.

Policies, Procedures, Staff Training

The covered entities and business associates need to develop policies and procedures conforming to HIPAA regulatory standards as outlined by the HIPAA Rules. They need to update these policies and procedures regularly. Also, they need to give annual staff training ensuring they understand all the policies and procedures correctly.

Documentation to Become HIPAA Compliant

The HIPAA-beholden organizations must document all their efforts to become HIPAA compliant, as it is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.

Business Associate Management

The covered entities and business associates need to document all vendors with whom they share PHI and execute Business Associate Agreements (BAAs) to ensure PHI is handled securely and mitigate liability. They should review the BAAs annually to account for changes to the nature of organizational relationships with vendors. They need to execute BAAs before ANY PHI is shared.

Incident Management

According to the HIPAA Breach Notification Rule, in case of a data breach, the covered entity or business associate must have a process to document the breach and notify patients that their data has been compromised.

The organizations must follow the above-mentioned HIPAA security rules to ensure the integrity, availability, and confidentiality of all PHI that is received, managed, created, or transferred. Under HIPAA, backup is mandatory and an essential means of protection against such risks. In this case, both institutions preserving user data and business partners need to comply with legislative regulations. For instance, if the institutions use Cloud storage, Cloud service providers are the partners, and they need to be HIPAA compliant as well.

The medical practitioners covered under the HIPAA Act must have confidence in the availability and security of their IT systems, as their delivery of critical services depends on it. The HIPAA compliance is built on a set of requirements, and this includes the Security Rule, Breach Notification Rule, and the Privacy Rule. If failed in HIPAA compliance, this can result in jail time, and more frequently in fines of thousands or even millions of dollars for a covered entity (CE), such as a health data clearinghouse or a health care provider. Let’s have a look into one of such cases:

In April 2017, the Department of Health and Human Services (HHS) received a complaint regarding Sentara Hospital, a not-for-profit organization that serves Virginia and North Carolina. The complaint was that Sentara had sent a bill to an individual with the protected health information (PHI) of another patient. After an investigation by the Office for Civil Rights in the U.S., it was found that the hospital mailed PHI of 577 patients. Sentara was fined with $2.175 million for the violation of the HIPAA Act Breach Notification and Privacy Rules.


As technology continues to evolve, a patient’s privacy is becoming a hot topic in the Healthcare Industry. The majority of patient information that is transferred over electronically is prone to certain risks. These risks include disaster that may result in physical damage to computers and servers that store the information regarding the patients. The best thing an organization can do is to evaluate their system and then implement a secure and robust backup and recovery solution to comply with HIPAA standards. Also, the covered entities must ensure they have a well-defined contingency plan that provides that patient data is safe even after a first data loss. Concisely, information security is all about ensuring three attributes of information or data: confidentiality, integrity, and availability.


Organizations are under more of a microscope than ever before. With added threats to patient data, it is imperative that businesses choose the right solutions. Make sure to take all of these factors into consideration when choosing a backup and recovery solution, as it may be a major game-changer in making sure that your business abides by HIPPA regulations.

Explore More Topics