Backups protect both the availability of ePHI and the organization’s ability to recover from incidents like ransomware. Here is how to meet HIPAA’s backup requirements and build genuine resilience.
Why HIPAA requires backups
The Security Rule includes contingency planning, and a data backup plan is one of its required components. HIPAA expects organizations to maintain retrievable, exact copies of ePHI so that data is not permanently lost in the event of a failure, disaster, or attack.
Backups protect the ‘availability’ element of the Security Rule’s goals — ensuring ePHI remains accessible when needed — and underpin the organization’s ability to recover from a wide range of incidents.
The data backup plan
A data backup plan establishes how the organization creates and maintains retrievable copies of ePHI. It should define what is backed up, how often, where copies are stored, and how they are protected. The plan is documented and maintained as part of contingency planning.
Because it is a required implementation specification, the data backup plan is something auditors expect to see, both as a document and as a practice supported by evidence.
What to back up
Backups should cover all the ePHI necessary to restore operations — databases, records, configurations, and anything required to recover the systems that hold patient data. Identifying everything that must be backed up flows directly from knowing where your ePHI lives.
An incomplete backup that omits critical data can leave an organization unable to recover fully, so comprehensiveness matters as much as the existence of backups.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
Backup frequency
How often to back up depends on how much data the organization can afford to lose — its recovery point objective. For systems with constantly changing patient data, frequent or continuous backups minimize potential loss, while less dynamic data may be backed up less often.
The risk analysis helps determine appropriate frequency, balancing the cost of backups against the impact of losing data created since the last one.
Securing backups
Backups contain ePHI, so they must be protected to the same standard as production data. This means encrypting backups, restricting access to them, and securing wherever they are stored. An unencrypted backup that is lost or stolen is just as much a breach as a lost production system.
Backup security is sometimes overlooked, but it is essential — the copies are as sensitive as the originals and deserve equal protection.
Offsite and redundant storage
Storing backups in a separate location from the primary data protects against disasters that could destroy both. Cloud backups, geographically separated storage, and redundant copies all guard against a single event wiping out both the data and its backup.
The principle is to avoid a single point of failure, so that no one fire, flood, or attack can eliminate both the live data and every copy of it.
Retention of backups
Backups should be retained according to the organization’s needs and any applicable requirements, balancing the ability to recover from older points against storage cost and the sensitivity of retaining PHI. Documentation retention requirements and operational recovery needs both inform the retention strategy.
A thoughtful retention policy ensures the organization can recover from incidents discovered after some delay, without retaining data longer than necessary.
Testing your backups
A backup is only useful if it can actually be restored. Regularly testing restoration — confirming that backups are complete, intact, and recoverable — is essential. Many organizations discover too late that their backups were incomplete or corrupted.
Documented restoration tests provide evidence that the backup plan works and turn a theoretical safeguard into a proven capability.
Backups and disaster recovery
Backups are one part of broader contingency planning that also includes a disaster recovery plan and emergency mode operations. Together these ensure that the organization can not only recover data but also continue or quickly resume operations after a disruption.
Integrating backups into a coherent contingency strategy — rather than treating them in isolation — produces genuine resilience.
Ransomware resilience
Backups are a critical defense against ransomware, which has become a major threat to healthcare. Reliable, isolated backups allow an organization to restore data without paying a ransom — provided the backups themselves are protected from the attack.
Because ransomware increasingly targets backups, keeping copies isolated or immutable is now an important part of a resilient backup strategy.
Documenting and maintaining the plan
The backup plan, like other contingency elements, must be documented and kept current as systems change. Records of backups, their security, and restoration tests provide the evidence auditors and the organization itself rely on.
Maintaining the plan — reviewing it as the environment evolves and confirming it still covers everything critical — keeps backups aligned with the organization’s actual recovery needs over time.
Backups as everyday insurance
Ultimately, HIPAA’s backup requirements protect against a wide range of misfortunes — hardware failure, human error, disaster, and attack. A sound, tested, secure backup program is everyday insurance for the availability and integrity of patient data.
Treating backups as a genuine capability rather than a checkbox — comprehensive, secured, tested, and isolated — gives an organization confidence that it can recover from almost anything, which is exactly the resilience the Security Rule intends.
Cloud backups and BAAs
When backups are stored with a cloud provider, that provider handles PHI and must be covered by a BAA, just like any other service touching patient data. Cloud backup is convenient and resilient, but it does not remove the organization’s responsibility for securing and managing those copies.
Confirming that your backup provider will sign a BAA and protect the data appropriately is an essential step in a compliant backup strategy.
Recovery time and recovery point objectives
Two concepts guide backup planning: the recovery point objective (how much data you can afford to lose) and the recovery time objective (how quickly you must restore). Defining these for your critical systems shapes how frequently you back up and how you architect recovery.
Aligning your backup approach with these objectives ensures it actually meets the organization’s real tolerance for data loss and downtime.
Backup access controls
Access to backups should be tightly restricted and logged, just like access to production PHI. Overly broad access to backups creates the same risks as broad access to live data, and it can also make backups vulnerable to the very attacks they are meant to protect against.
Limiting and monitoring who can reach backups is an important and sometimes overlooked part of securing them.
Documenting restoration tests
Testing restoration is only fully valuable when documented. Records of when tests occurred, what was restored, and whether they succeeded provide evidence that the backup plan works and satisfy auditors who want proof, not just assertion.
These records also reveal trends — recurring failures or gaps — that point to where the backup strategy needs strengthening.
Backups in the disaster recovery plan
Backups underpin disaster recovery, but a full plan also addresses how systems and operations are restored, who is responsible, and how the organization functions during the disruption. Integrating backups into this broader plan ensures data recovery translates into operational recovery.
A backup that restores data into a still-broken environment provides limited value, which is why backups and disaster recovery must be planned together.
Backups as resilience, not just compliance
While HIPAA requires backups, their real value is resilience. A sound backup program protects the organization against hardware failure, human error, disaster, and ransomware alike — preserving both patient data and the ability to keep operating.
Viewing backups as core resilience, rather than a compliance checkbox, leads organizations to build the comprehensive, tested, secured programs that genuinely protect them when something goes wrong. Reliable, secure backups are a quiet but essential part of HIPAA compliance.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.