HIPAA requires covered entities to develop plans and implement procedures to back up data and otherwise enable disaster recovery and continuity of operations, all under the contingency planning standard within the administrative safeguards described in 45 CFR 164.308. There is also language in the physical safeguards in 45 CFR 164.310 that data backups should include retrievable, exact copies of PHI before moving equipment, but this is an addressable standard, not a mandatory requirement. Nothing in the regulations specifies how backups must be performed, or where backup data must be stored. There are many backup service vendors that claim that HIPAA requires offsite storage of backed up data, but this simply isn't part of the security rule. This is not to say that offsite backup storage isn't a good idea - it's a well established security practice and arguably an essential component of a disaster recovery strategy. There is no statutory requirement covering offsite backup, and certainly no rule on the distance between offsite storage and the operational site.

Please complete the following information:

REGISTER / LOG-IN TO DISCUSS

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Submit your e-mail address below to continue

E-mail: 

E-mail: 

Handle:   

Password: 

Forgot Password?

Create Handle: 

Your handle identifies you in Health IT Exchange. Max 30 char.

Create Password: 

Confirm Password: 

Describe Company:  Select your organization's type...Hospital/Medical Center/Multi-Hospital System/IDNAmbulatory Care/Outpatient Center/Group Physician PracticeAncillary Clinical Service ProviderPayer/Insurance Company/Managed Care OrganizationPharmaceutical/Biotechnology/Biomedical CompanyFederal/State/Municipal Health AgencyVendorOther

How many beds:  Select your organization's bed count...1 to 99100 to 249250 to 499500+

Yes, I agree to the Health IT Exchange  Terms and Conditions.

hidden modal window