HIPAA-compliance and Office 365 Backup

office 365 backup hipaa

The HIPAA Security Final Rule, the last of the three HIPAA rules, was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most CEs had two full years – until April 21, 2005 – to comply with these standards. A majority of covered entities, especially providers, did not comply by that date and are still non-compliant. Now, as a result of the HITECH Act, BAs, including medical billing companies, must comply fully with these laws as well.
1) It’s not optional – All CEs, including medical practices and BAs, must securely back up “retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii) (A)).

2) Your data must be recoverable – Why else are you backing it up? You must be able to fully “restore any loss of data” (CFR 164.308(7)(ii) (B)).

3) You must get your data offsite – as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup and disaster recovery plan that stored backup copies of ePHI in the same location as the original data store?

4) You must back up your data frequently – as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). In today’s real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event if one had to recover from yesterday’s data backup.

5) Safeguards must continue in recovery mode – The same set of security requirements that applies under normal business operations must also apply during emergency mode. CEs and BAs cannot let their guard down (CFR 164.308(7)(ii) (C)).

6) Encrypt or Destroy – HITECH says to encrypt or destroy data at rest to secure it (Section 13402(h) of Title XIII HITECH Act). HIPAA Security Rule says that data being transmitted must be encrypted (CFR 164.312(e)(1)(B)). Many CEs and BAs fail in this area because tape- or disk-based backups are moved around freely, unencrypted.

7) You must have written procedures related to your data backup and recovery plan – Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule.

8) You must test your recovery – Backup is useless if your recovery fails, therefore the law requires that you “Implement procedures for periodic testing and revision of contingency plans.” (CFR 164.308(7)(ii) (D)). Unfortunately, testing tape-based or disk-based recovery can be time-consuming, so most companies rarely do it.

9) Non-compliance penalties are severe – Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.
Now is the time to act – CEs have been subject to the HIPAA Security Final Rule since April 2005. BAs were statutorily obligated to comply by February 2010. source


To sum up – Office 365 backup is not only recommended by HIPAA, but absolutely necessary for compliance and UpSafe Office 365 backup is the best solution for a number of reasons:  It helps you ensure the critical data from your SaaS application and allows you to focus on what really matters for your business & projects. In a few clicks you can set up the solution and just start your Office 365 backup. Then, when necessary, just restore the files you need through granular or full recovery.

Moreover, we apply special discounts for healthcare and other socially important organizations.

We work for your security

UpSafe Team