HIPAA-Compliant Backup: Secondary Data Protection

HIPAA compliant backups vector image

Sensing a big opportunity, a number of technology companies added HIPAA-compliant software and services. But how compliant are these vendors?

HIPAA stands for the Health Insurance Portability and Accountability Act, which regulates standards for protected health information (PHI) in the U.S. The Act is not new: it dates as far back as 1966. Over the years its governing body has updated standards and created new ones to match the extreme growth of sensitive data. As electronic records balloon in size and number, organizations find it harder and harder to comply with the stricter rules.

We’re talking about a lot of organizations. HIPAA applies to any “covered entity” that provides healthcare and healthcare-related services to patients. It also applies to “business associates” who provide goods and services to the covered entities – and to each camp’s subcontractors.

The Act covers both patient privacy and electronic health information security, or ePHI. This means medical billing, hospitals, radiology services, pharmacies, insurance, doctor’s offices, online nursing advice, administrative services, IT organizations – the list is very long. Making matters even more challenging, Congress passed a supplemental act in 2009 that raises the penalties for non-compliance. Few organizations set out to be non-compliant; most of them trip over fast-growing volumes of data combined with ignorance of the updated Act — all too easy given reams of digital data and overworked, undertrained staff.

The first move towards compliance is in the organization’s court. The Security Rule requires that organizations carry out a security risk audit to see where problems and gaps exist. Failure to do the audit is deficient and the fines can be hefty. These risks aside, an audit will help the organization to understand where they need help to achieve electronic security compliance.

The next decision is how to close the gaps with HIPAA-compliant technology. At this point, organizations split data into two general camps: active production data and secondary or backup data. Both areas are subject to both HIPAA and the HITECH Act. HITECH complements HIPAA and includes incentives for adopting EHR and big fines for non-compliance with HIPAA rules. HITECH governs the world of electronic health record systems (EHR), with incentives for use and steep fees for non-compliance.

The second area is secondary data, overwhelmingly backup and archive. Backup data is subject to HIPAA rules under its Data Backup and Disaster Recovery Specifications. One popular choice for protecting backup data is managed hosting providers (MSP) whose backup services are HIPAA-compliant. Many organizations make the choice to turn over their PHI data for compliant hosting as opposed to keeping compliant backup in-house. (Or doing nothing at all, which I most emphatically do not suggest.)

What regulations must backup providers follow to be compliant?

What regulations must backup providers follow to be compliant? HIPAA’s Security Rule has a defined list of requirements for backup environments and providers. These requirements fall into three major areas: technology, physical security, and secure administration. Specific components include features like off-site backup, frequent backup for reasonable RTO and RPO (recovery time and point objectives), data centers secured against physical and digital intrusion, strong user access control, swift data breach communications, written DR plans, periodic testing, and encryption in-flight and at-rest. (Note that this lets out unencrypted tape and disk that are shipped off-site.)

These security measures are not only in place for the backup providers’ customers: the providers are also HIPAA business associates and face steep fines for non-compliance. Still, there is a lot of distrust in the industry of managed service providers claiming HIPAA compliance. Many MSPs sell HIPAA-compliant services but may not in fact be aware of changes in HIPAA and HITECH – changes that universally tightened HIPAA regulations and the risk of non-compliance.

The good news is that the latest round of changes came out in 2013 and MSPs have had a couple of years to understand and implement them. The bad news is that you cannot be certain that an MSP has a fully compliant environment without asking detailed questions first. So ask. Assume nothing. Ask questions about data center physical security and network security against intrusion, employee negligence, and accidental access in a multi-tenant environment. Ask about encryption policies, including encrypting data-in-flight from the organization’s site to the data center. Ask about documented policies and monitoring practices. Ask for their performance and availability service levels for backup and recovery, which are critical when backing up and restoring to the cloud.

Another good question to ask is what backup software the MSP is using. Many of them will white-label their backup software but most will tell you the vendor source. Several of the most popular backup software vendors are on the list below. Although no vendor or software is perfect, each of these companies has a good reputation in the HIPAA-compliant field. Most of them sell both directly and to MSPs; all are business-level as opposed to consumer.

HIPAA-Compliant Backup Providers


  • Carbonite automatically encrypts and transports customer data to the cloud, enabling backup of live applications and databases.
  • Zetta.net sells HIPAA-compliant cloud backup. Its main differentiator is high performance in the cloud thanks to native WAN optimization and architecture optimized for large datasets.
  • Intronis sells its services directly and also white-labels them for MSPs. Whether direct or white-labeled, fully encrypted backup is hosted at Intronis data centers with military-grade security and round-the-clock monitoring.
  • Asigra encrypts not only network data but also protected data from mobile devices. One of its sweet spots is tape backup users who know they are not in HIPAA compliance.
  • Druva’s strong suit is data protection for the edge. inSync provides HIPAA protection for PHI data located on the LAN and mobile devices.
  • AWS (Amazon) is the exception to the rule. AWS is not itself HIPAA-compliant. It does, however, maintain HIPAA standards in its cloud data centers (specifically NIST 800-53), meaning that HIPAA providers can host in AWS and be compliant.