Manage Learn to apply best practices and optimize your operations.

Tip: Developing a HIPAA-compliant storage plan

Establishing HIPAA-compliant storage plans requires a three-pronged approach to meet disaster recovery, data backup and emergency operations criteria.

An important part of establishing and maintaining HIPAA compliance is the creation of a storage plan. Although the HIPAA regulations do not specifically require a storage plan,  HIPAA Part 164.308(a)(7)(i)does require your organization to develop a contingency plan. Specifically, this regulation states:

Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Part ii outlines the implementation specifications for this regulation. HIPAA requires the creation of five separate documents as outlined below:

(ii) Implementation specifications:

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

A storage policy is made up of documents A, B, and C ("Data Backup Plan," "Disaster Recovery Plan" and "Emergency Mode Operation Plan"). The "Testing and Revision Procedures" and "Applications and Data Criticality Analysis" documents are required by HIPAA, but are beyond the scope of this article.

A word about HIPAA compliance

As evident in the section above, the HIPAA requirements for the various plans are rather vague. HIPAA states what each of the three plans must accomplish but leaves the details to each individual organization's own discretion. Therefore, the challenge becomes creating a Data Backup Plan, Disaster Recovery Plan, and Emergency Operation Plan that not only meet HIPAA's required objective but also fit into your own, unique organizational logistics and budgetary constraints.

Data backup plan

As the name implies, the Data Backup Plan reflects a healthcare organization's plan for backing up systems containing patient health data. The first thing that administrators must understand about the Data Backup Plan (and the Disaster Recovery Plan and the Emergency Mode Operation Plan) is that simply developing a document for the sake of compliance is not enough.

The challenge becomes creating plans that meet HIPAA's required objective and fit into your unique organizational logistics and budgetary constraints.

As an administrator, you are free to back up your data in any way that you see fit as long as your backup methodology fulfills the HIPAA requirement to create and maintain retrievable exact copies of electronic protected health information. However, your backup plan must accurately document the backup methodology that you are using. It is expected that your Data Backup Plan will be a living document. In other words, as your backup requirements and methodologies evolve over time, the Data Backup Plan must be kept up to date so that it always matches the backup procedure that is being used.

The exact nature of a Data Backup Plan's contents will vary from one health care organization to the next. Generally, however, the plan should document the backup hardware and software that is being used as well as outline the backup procedures in granular detail.

It stands to reason that a Data Backup Plan would document the organization's tape rotation scheme, but the plans typically provide a greater degree of depth with regard to the backup process. For example, the plan might outline the tape-labeling scheme as well as the tape retention cycle. Typically, a Data Backup Plan will also document methods used for storing backup copies off-site as well as for testing your backups. Your Data Backup Plan should ideally also document the schedule for any backup-related maintenance, such as cleaning tape drives.

Disaster recovery plan

An organization's Disaster Recovery Plan is a natural complement to its Data Backup Plan. After all, backing up data is only one step in protecting a health care organization's systems against failure. It is critically important for administrators to know how to restore the backups should the need ever arise.

As is the case with the Data Backup Plan, the Disaster Recovery Plan is intended to be a living document that is updated on a regular basis. The document must accurately reflect the procedures that will be used to recover electronic health records (EHRs) and other types of critical information after a disaster.

More on HIPAA-compliant storage

Read about how SearchHealthIT Editorial Director Scott Wallask experienced HIPAA-compliant cloud storage in healthcare through his son's EHR.

As you develop a Disaster Recovery Plan, the document's structure should lend itself to being easily updatable. Typically, the document body contains nontechnical information that is relatively static (but that must be kept up-to-date nonetheless). Technical information updated on a regular basis is typically included in the document's appendix.

The nontechnical portion of the Disaster Recovery Plan should discuss the logistical aspects of the disaster recovery process at length. For instance, many disaster recovery plans begin by presenting an overall recovery strategy. It is important to keep in mind that a good disaster recovery plan should discuss a variety of recovery operations. For example, a disaster recovery plan might discuss bare-metal server recovery, recovery of a virtual machine, file-level recovery, application recovery, Active Directory recovery, and the recovery of infrastructure components such as DNS and Dynamic Host Configuration Protocol (DHCP) servers.

Disaster recovery planning isn't always about an organization's ability to restore a backup. Sometimes disasters occur that do not directly impact servers or storage components. For example, the failure of a network switch could be considered a disaster, and a contingency plan should be outlined within your disaster recovery plan even though no data will need to be restored.

In addition to discussing recovery strategies, a good Disaster Recovery Plan should also provide the contact information, roles and responsibilities of those who will be involved in the recovery process. Some health care organizations even go so far as to document the vendors who may be called upon to provide supplies or technical assistance.

Emergency mode operation plan

The third document making up a healthcare organization's storage policy is the Emergency Mode Operation Plan. The Disaster Recovery Plan is designed to deal with data recovery after a small-scale disaster, such as the loss of a server or a storage array failure. In contrast, the Emergency Mode Operation Plan deals with a health care organization's ability to cope with larger-scale disasters, such as the destruction of the organization's primary data center.

The bulk of the Emergency Mode Operation Plan is nontechnical in nature.  Its primary purpose is to document the organization's policies and resources used in an emergency failover to an alternate data center. For example, the Emergency Mode Operation Plan should document the systems that contain critical data and the systems that need to be brought online in order to achieve continuity of business (or at least skeleton functionality).

The Emergency Mode Operations Plan should also document the location of the alternate data center and the computing and storage resources that are available for hosting critical workloads during times of disaster. Additionally, the Emergency Mode Operation Plan should list the members of the disaster recovery team and their responsibilities with regard to restoring functionality.

One easily overlooked aspect of the Emergency Mode Operation Plan is having the plan accessible from outside the data center. After all, the Emergency Mode Operation Plan does no good if the plan itself is destroyed along with the data center. Typically, an Emergency Mode Operation Plan should include a statement indicating that each member of the disaster recovery team must keep a copy of the plan off-site in a secure location.


As you develop your storage policy, it is important for Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan to complement one another and to collectively form a comprehensive disaster recovery strategy. Just as importantly, the three plans must accurately reflect the procedures that the organization actually uses. As these procedures evolve, the various plans must be updated in order to remain relevant and accurate.

Brien M. Posey is a Microsoft Most Valuable Professional known for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Contact him at [email protected].

Dig Deeper on Health records storage management and systems