HIPAA Data Backup Plan Checklist

Backing up data is important for everybody, whether it be personal data or data belonging to an organization. When it comes to ePHI managed by a healthcare institution, the level of importance could not be higher.

It is also a mandatory component of HIPAA compliance.

In order to meet these requirements, most healthcare organizations choose to outsource critical IT services to a third party i.e. an MSP. Whether or not you outsource data backup services, measures must be taken to ensure that you do not lose sensitive patient data, as the consequences can be devastating.

"The data backup plan is a required stage of compliance and must form part of a contingency plan that meets HIPAA standards. Losing data has huge consequences, even-more-so for healthcare organizations who routinely handle sensitive and private data. If access to critical pharmacy systems, lab systems or EHR systems was severed, a healthcare practice would struggle to continue business operations. This risks damaging reputation and ultimately could risk patient lives." - Marty Puranik, What Is Your HIPAA Data Backup Plan

This process will help you establish a solid data backup plan that satisfies HIPAA requirements and clearly shows your patients that you have appropriate safeguards in place to protect their data.

From identifying the databases that contain ePHI, determining which solution will be used, testing the restore process, and formally documenting the backup policy, this checklist will help you setup the data backup plan end-to-end, hopefully relieving your security team of stress in the process!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

First, enter some basic details regarding your organization and the Security Official leading the team tasked with securing and backing up ePHI. 

Identify the various databases that contain ePHI. 

List them in the form field now. You can also attach and/or link to a document/resource that contains the list. 

Identify the email systems that contain ePHI. 

List them in the form field now. You can also attach and/or link to a document/resource that contains the list. 

Once all of the databases and email systems containing ePHI have been identified, its time to determine the risk level of each file.

The term “risk,” as used in the phrase “security risk analysis,” can be defined as a function of two things:

• The likelihood of a given threat triggering or exploiting a specific vulnerability 
• The resulting impact

You can attach and/or link to a document/file containing the risk level of each file. 

As stated by the Compliancy Group, a risk level matrix can be used to assist in determining and ranking risk levels. The matrix may be populated using a “high,” “medium,” and “low” rating system. For example, a threat likelihood value of “high” combined with an impact value of “low” may equal a risk level of “low.” Or a threat likelihood value of “medium” combined with an impact value of “medium” may equal a risk level of “medium.” 

From the list below, select which solution(s) will be used to back up the data. 

If you select "Other", describe the solution in the text form field. 

Identify and describe the backup media required to remain offsite. 

Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

A Business Associate Agreement (BAA) must be used if an off-site storage facility or backup service is used to ensure that the Business Associate will safeguard the ePHI in an appropriate manner.

Process Street has built a Business Associate Agreement Checklist to guide you through creating and implementing the agreement. 

Identify and describe the backup media required to remain onsite. 

If backup media remains on-site, it must be in a physically secure location, different from the location of the computer systems it backed up, in order to protect the backups from loss or damage.

It is critical to ensure that backup data sent to an off-site storage facility is secured using technical and physical HIPAA compliant safeguards.

Provide a description of the safeguards that are in place to secure off-site storage and minimize the risk of a data breach.

Test data restoration with approved software engineers. 

This is an important step to identify any issues and verify that the safeguards in place are functioning as they should. 

Record the date of testing and summarize the results in the form field below. 

Also, determine if any issues were identified. If so, these will need to be evaluated and resolved before moving on in the process. 

There were some issues identified during testing. Not to worry, describe them in the form field below so they can be evaluated and resolved by the team. 

If its more convenient, you can attach and/or link to a document containing a detailed breakdown of the issues that were identified. 

Conduct a meeting to evaluate and resolve the issues that were identified during data restoration testing. 

Record the date of the meeting, as well as key takeaways/action items. 

Below is the description of the issues that was recorded in the previous task.

Description of issues

{{form.Description_of_issues_found_during_testing}}

Document the backup policy. 

You can attach and/or link to the policy below.

All documentation required by this policy will be maintained for a period of 6 years from the date of creation or the date when it was last in effect, whichever is later. 

Document the backup process and schedule. 

You can attach and/or link to the process and schedule below.

Document the data restore process. 

You can attach and/or link to the data restore process below.

Document the disaster recovery process. 

You can attach and/or link to the disaster recovery process below.

Document the contingency plan. 

You can attach and/or link to the contingency plan below.

Determine a date to review the back up plan.

Ideally, the plan would be reviewed once a month, or at least once every quarter.

• Compliancy Group - HIPAA Data Backup Plan and Disaster Recovery Plan
• HIPAA GPS - HIPAA Security Templates
• Marty Puranik - What is Your HIPAA Data Backup Plan?
• HIPAA Guard - HIPAA Rules on Data Backup and Disaster Recovery Plan
• Compliancy Group - HIPAA Security Risk Analysis Step 6: Determining the Level of Risk to ePHI

• HIPAA Compliance Checklist for HR
• HIPAA Privacy Risk Assessment Checklist
• HIPAA Security Breach Reporting Checklist
• HIPAA Business Associate Agreement Checklist
• HIPAA Omnibus Rule Checklist
• Patient Intake Checklist for a Medical Clinic
• Patient Intake Checklist for a Dental Clinic
• Patient Satisfaction Survey Checklist
• Hospital Housekeeping Checklist
• Terminal Room Cleaning Checklist
• Hospital Safety Inspection Checklist
• General Infection Control Checklist
• Patient Satisfaction Survey Checklist
• Home Visit Checklist
• Mental Health Risk Assessment Checklist
• WHO Surgical Safety Checklist
• HIPAA Compliance Checklist
• COVID-19 Procedure: Isolation Area Management
• COVID-19 Procedure: Disinfection Procedures for COVID-19 Isolation Ward Area
• COVID-19 Procedure: Lung Transplantation Pre-Transplantation Assessment
• COVID-19 Procedure: Nursing Care During Treatment (ALSS)
• COVID-19 Procedure: Protocol for Donning and Removing PPE
• COVID-19 Procedure: Staff Management (Workflow and Health)
• COVID-19 Procedure: Daily Management and Monitoring of ECMO Audit
• COVID-19 Procedure: Digital Support for Epidemic Prevention and Control
• COVID-19 Procedure: Discharge Standards and Follow-up Plan for COVID-19 Patients
• COVID-19 Procedure: Disinfection of COVID-19 Related Reusable Medical Devices
• COVID-19 Procedure: Disinfection Procedures for Infectious Fabrics of Suspected or Confirmed Patients
• COVID-19 Procedure: Disposal Procedures for COVID-19 Related Medical Waste
• COVID-19 Procedure: Disposal Procedures for Spills of COVID-19 Patient Blood/Fluids
• COVID-19 Procedure: Procedures for Handling Bodies of Deceased Suspected or Confirmed Patients
• COVID-19 Procedure: Procedures for Taking Remedial Actions against Occupational Exposure to COVID-19
• COVID-19 Procedure: Surgical Operations for Suspected or Confirmed Patients