Q&A: Guidance for storing data backups

Q: I have heard that HIPAA says covered entities (CE) must keep data backups a minimum of five miles away from the original site where the data was collected. Is this correct? Are there any restrictions or guidance about the location of data backups?

A: There is no HIPAA requirement that backup media be stored at least five miles away from where the original data was backed up from. It is sound security practice to store backup media off-site, though, to ensure the backup media is available if there is a disaster and the original data is destroyed. Ideally, backup media should be stored in a different geographic region from the area where the data was backed up, but there are reasons why this isn’t always practical.

The HIPAA requirement to maintain backup media is included in the contingency plan section of the HIPAA Security Rule. All CEs and business associates (BA) are required to maintain backup media, develop a data backup plan that includes testing backup recovery, and develop and test a disaster recovery plan and emergency mode operations (business continuity) plan. This means that your data backup plan needs to cover where the media will be stored and how the data will be restored in the event of a disaster or outage.

In the not too distant future, OCR may issue guidance requiring off-site storage of data backup media. The rapid expansion and reduced cost of solutions that support storing backup media in the cloud is leading in much the same direction as encryption. While encryption is addressable in the HIPAA Security Rule, OCR is enforcing the rule as if encryption is required. Soon, the same stance may be true when it comes to off-site storage of backup media.

Editor’s note: Question answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Need expert advice? Email your questions for consideration in the Revenue Cycle Daily Advisor. Note: We do not guarantee that all questions will be answered.