Explore health IT data storage strategies

Sapsiwai - Fotolia


HIPAA requirements steer data protection in healthcare

Although HIPAA may not specify how to protect patient data in the event a system goes down, its requirements make it clear data must remain available and secure.

In most cases, adherence to HIPAA requirements requires a multipronged approach to healthcare data disaster recovery.

The aspects to consider include the following:

  • backup and recovery
  • continuity of business
  • data lifecycle management
  • security

Let's look at each of these elements in more detail.

Backup and recovery

This aspect is self-explanatory. The organization must be able to make an exact copy of its data and do so in a way that guarantees that the information will be recoverable if it is ever needed. HIPAA requirements compel all covered entities to guarantee the confidentiality, integrity and availability of their electronic protected health information (PHI).

One of the key considerations with regard to backup and recovery is documentation. In addition to documenting things like backup procedures, operators and security measures, it is important to document the recovery point objective and the recovery time objective, as well as the rationale for each.

Continuity of business

HIPAA requirements clearly state that electronic PHI must remain available. As such, it is important to have a good business continuity plan, which some IT pros refer to as a disaster recovery plan.

Continuity of business planning entails coming up with a plan for keeping data and mission-critical applications available following a failure. The scope of a healthcare provider's plan can vary depending on the types of patients that it treats. For instance, a large hospital that treats critically ill patients needs to keep critical systems online no matter what. Thus, a continuity of business plan might entail switching critical workloads over to one of several alternate data centers in the event of a major failure.

Business continuity and disaster recovery planning

In contrast, a small physical therapy provider probably wouldn't require steps that are elaborate or expensive. The important thing is to make sure that the plan is justifiable.

Remember that the HIPAA security rule does not mandate the use of specific technologies, and it leaves the selection of technologies and products up to the individual provider. HIPAA does enable an organization to consider cost as a factor when selecting products or technologies, but requires that "reasonable and appropriate security measures must be implemented," according to federal regulations.

Data lifecycle management

Data lifecycle management refers to retaining data for the length of time required by law, and then purging expired information when it is no longer needed.

Data lifecycle management is often thought of as being completely separate from a provider's backup and recovery initiatives. Even so, there are two reasons why data lifecycle management should be considered as a part of the organization's overall disaster recovery plan.

First, some backup vendors have begun integrating data archival and data lifecycle management functionality into their software. Second, it isn't enough to simply retain data for the required length of time. Rather, a healthcare provider must have a way of recovering its data archives if they are lost, corrupted or destroyed.


Security is a central theme throughout HIPAA requirements. The HIPAA security rule establishes standards for how to protect electronic PHI.

The secure handling of data extends to any format containing sensitive patient data, including backups. If, for example, a covered entity performs tape backups, then it must have a plan for protecting those tapes and their contents.

Further, there may be some data that is locked away in proprietary systems that are not tied to the rest of the network. Some older picture archiving and communication systems, for example, rely on proprietary and often isolated storage. Health IT departments must identify such data silos and work to either eliminate them or develop a strategy for protecting the data within.

Regardless of how a healthcare provider approaches its data protection and disaster recovery initiatives, its procedures, technologies and security initiatives must be documented. Because so many of HIPAA's technical safeguards are open to interpretation, it is also important to document the rationale for the organization's various policies, procedures and technology selections.

Next Steps

Avoid these seven business continuity pitfalls

Ask the expert: What is a HIPAA business associate?

Most hospitals plan for EHR data recovery

Dig Deeper on Electronic medical records security and data loss prevention