Backup and Recovery
Own Recover

HIPAA Data Backup Requirements & PHI Requirements

Cameron Skinner
Senior Strategic Business Development Manager, Own Company
No items found.

If you’re a business that handles Protected Health Information (PHI) — or expects to in the future — you can’t afford to ignore your data compliance and protection responsibilities. In this article, we break down the essentials of PHI and the critical role a backup and recovery solution plays in protecting data compliance, integrity, and availability.

What is PHI?

Protected Health Information (PHI) is any individually identifiable health information that was created, used, or disclosed during treatment or diagnosis. PHI is protected and regulated by the Health Insurance Portability and Accountability Act (HIPAA), which was introduced in 1996.  The HIPAA Privacy Rule provides standards for how PHI is stored, collected, and shared, along with physical, administrative, and technical controls. By mandating PHI protection, HIPAA aims to mitigate inappropriate disclosure risks that could impact important factors like employability, insurability, and more.

Keep in mind that not all patient data is PHI. To quality as PHI, data must fall under one of these 18 identifiers:

  1. Name
  2. Address. This includes anything smaller than state: street address, city, county, and zip code.  
  3. Dates. This includes birthdate, death date, age, and admittance and discharge dates (except year).
  4. Social Security number
  5. Telephone number
  6. Fax numbers
  7. Email address
  8. Health plan beneficiary number
  9. Account number
  10. Medical records number
  11. Medical device identifier
  12. Certificate or license number. This includes driver’s license numbers.
  13. Vehicle identifiers, like license plate number or VIN
  14. Internet Protocol (IP) addresses
  15. Web URLs
  16. Full facial photographs and any comparable image
  17. Biometrics, such as fingerprints and voiceprints

How is PHI used?

Your PHI information follows you throughout the corse of your life. From the moment you’re born, your PHI is likely entered into an electronic healthcare record and will continue to grow as you do. This medical information helps clinicians understand a patient's health history and make individualized treatment choices.

HIPAA regulations allow clinical and research scientists to use anonymized PHI to study and forecast health and healthcare trends. It’s also utilized to create value-based care programs, recognizing healthcare providers that are providing superior care.  

While PHI is valuable for both patient and industry advancement, it’s highly valued by hackers and cybercriminals. PHI is full of personal consumer information that they can sell.  From social security numbers to account numbers to medical records, hackers leverage multiple types of information in many ways, creating long-term problems that easily go under the radar. Cybercriminals also conduct ransomware attacks on hospitals or healthcare providers and hold PHI hostage in exchange for a payoff, creating major disruptions in care, record keeping, and organization as a whole. Therefore, organizations handling PHI must know the risks and how to mitigate them.

What Are The HIPAA Data Backup Requirements for PHI?

Protection of PHI is critically important because it ensures the privacy of sensitive data. Companies who fail to protect this type of data are subject to significant non-compliance fines, as well as the inevitable impacts on reputation and trust.

Regardless of sector or industry, organizations should be examining their SaaS applications, in particular platforms like Salesforce and Microsoft Dynamics 365, to look at what PHI data may be stored there. For organizations in the healthcare industry, the guidelines are quite clear; proper management of PHI includes having a data backup and recovery solution in place.

While specific HIPAA regulations may not apply to all organizations, employers who possess health information, like vaccination status, should examine their data protection policies to ensure that they meet the compliance requirements of internal, state, or federal data regulations. Several of those regulations require backups to be:

  • Frequent: In most circumstances, a daily data backup is satisfactory, but sometimes backups must be scheduled to the hour or minute, depending on the type of record.
  • Encrypted: Backed up data should be encrypted at rest and in transmission.
  • Secure: Backed up data should have user authentication safeguards, including multi-factor password protection and role-based access controls to partition backup services and control who has access to them.
  • Tested: Once successful backups have been achieved, the restore process must be tested to confirm the data integrity and how quickly the restore process takes to complete.
  • Stored offsite: Backups must be stored in a separate location from production services and depending on the record, must be retained for a finite period — in some cases six years or more.

Are There Physical HIPAA Requirements for Storing Data & Data Backups?

In addition to technical requirements, HIPAA requirements also mandate physical safeguards and security requirements for the places you choose to store your PHI data. The physical HIPAA data requirements include:

24/7 Manned Data Center Security 

Access controls for Hardware & Media

Restricted Server Access

Tamperproof Logs

Are there Administrative HIPAA Requirements for Storing Data & Data Backups?

There are physical and technical requirements when storing PHI, but also administrative requirements. This means there must be certain administrative processes in place when an organization is storing PHI data. These administrative processes include:

Risk assessments and analysis 

Disaster recovery and contingency plans 

Physical security maintenance records 

Breach notification documentation 

Business associate agreements 

Who needs to be HIPAA compliant?

Entities that must follow HIPAA regulations are called “covered entities.” Covered entities include heath care providers, such as doctors, hospitals, clinics, pharmacies, dentists, and nursing homes, along with health are plans, like health insurance companies, company health plans, HMOs, and certain government-paid healthcare programs, such as Medicare and Medicaid. Healthcare clearinghouses are also considered covered entities, as they process nonstandard health information or format data for compliance.

Covered entities aren’t the only organizations required to check the compliance boxes. A covered entity’s business associates, the third-party individual or company that is granted access to PHI to perform its services, must also follow HIPAA’s strict protocols, too. Business associates can include document storage companies, medical billing companies, collection agencies, attorneys, CPA firms, and more. Whether you’re a covered entity or business associate, poor PHI management and protection can put you in the compliance hot seat.

How does your Data backup solution support your compliance efforts?

Data compliance and security are too important to ignore. If your company manages PHI or other types of sensitive and regulated data that must be protected, you must consider a backup and recovery solution...but not just any solution. Here are a few questions to ask yourself when considering your organization’s solution:

  • Do you store any PHI data in your SaaS platform?
  • What is your necessary recovery time objective (RTO) and recovery point objective (RPO)?
  • How frequently do you back up your data?
  • If your SaaS provider was down, would you still be able to access your data?
  • How frequently do you test your ability to recover data from a backup?
  • How do you ensure data is retained within minimal and maximal retention timeframes?
  • What regulatory requirements impact your data retention policy?

Depending on how you answer these questions, you may want to consider a third-party backup and recovery solution. At Own (formerly OwnBackup), we’re the #1 SaaS data protection platform and meet all the requirements of a HIPAA compliant backup and recovery solution. Most importantly, because our cloud application sits outside the SaaS provider’s, our customers' backup files are always accessible to them even in the event of a SaaS provider outage or other critical event like a data breach.

Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Cameron Skinner
Senior Strategic Business Development Manager, Own Company

Backup and Recovery
Own Recover

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo