Now accepting clients in Pasco & Pinellas County. Get Started · Privacy · Terms

Home  /  Blog  /  HIPAA Compliance

What HIPAA Actually Requires for Backup

By Patrick Kelly · April 2026 · 6 min read

HIPAA backup requirements are simpler than most vendors want you to believe. The vendors have a reason to make it sound complicated — complexity sells consulting hours. But the actual regulations are specific, readable, and achievable for a practice of any size.

This post walks through what the HIPAA Security Rule actually says about backup and disaster recovery, translated into plain English. No legalese, no scare tactics.

The Regulation: 45 CFR 164.308(a)(7)

The HIPAA Security Rule lives in Title 45 of the Code of Federal Regulations. The section that covers backup and disaster recovery is 164.308(a)(7), titled “Contingency Plan.” It requires five things from covered entities.

1

Data Backup Plan (Required)

You must create and maintain retrievable exact copies of electronic protected health information (ePHI). In practice: automated backups of your patient records, X-rays, billing data, and anything else that constitutes ePHI. Manual USB copies technically satisfy this, but they introduce human error that the next four items are designed to catch.

2

Disaster Recovery Plan (Required)

You must have procedures to restore any loss of data. This means a documented plan — not just “we’ll figure it out.” The plan should cover how you restore from backup, who is responsible for initiating recovery, how long it takes, and what happens if your primary location is inaccessible. A one-page document covering these questions satisfies this.

3

Emergency Mode Operation (Required)

You must have procedures to continue critical business processes during an emergency. For most small practices: can you still access patient records and provide care if your primary system goes down? The answer might be as simple as “we restore from backup to a spare workstation” or “we use paper forms for 24 hours while systems are restored.”

4

Testing and Revision Procedures (Addressable)

You should implement procedures for periodic testing and revision of contingency plans. “Addressable” in HIPAA doesn’t mean optional — it means you must either implement it or document why an equivalent alternative is appropriate. This is the requirement most practices miss. Having a backup is step one. Testing that backup restores correctly is what this provision requires. Weekly automated restore testing with documented results satisfies this completely.

5

Criticality Analysis (Addressable)

You should assess the relative criticality of specific applications and data in support of contingency planning. Translation: know which systems and data are most important, and prioritize their protection and recovery. Your practice management software and patient records are critical. Your screensaver settings are not. Document the distinction.

What an Auditor Actually Looks For

When the Office for Civil Rights (OCR) investigates a practice — usually after a reported breach — they don’t ask to see your backup software. They ask for documentation. Specifically: evidence that backups are happening, evidence that you’ve tested recovery, a written contingency plan, and records showing who has access to ePHI and how that access is controlled.

The practices that get fined aren’t typically fined for being hacked. They’re fined for not having the documentation that demonstrates they were trying to prevent it.

In January 2025, an Indiana dental practice was fined $350,000 after a ransomware breach. The fine wasn’t for the breach itself — it was for failing to conduct a risk assessment, failing to have a contingency plan, and attempting to hide the incident for two years. The backup existed. The documentation didn’t.

The Business Associate Agreement

If anyone outside your practice touches your ePHI — including your backup provider — HIPAA requires a Business Associate Agreement (BAA). A BAA is a contract that obligates the vendor to protect your data according to the same standards you’re required to follow. No BAA, no compliance.

This is one of the most commonly overlooked requirements. If you’re backing up patient data to a consumer-grade cloud service without a signed BAA from that provider, you have a compliance gap — regardless of how good the encryption is.

Any managed backup provider serving healthcare should offer a BAA as standard. If they don’t mention it, ask. If they can’t provide one, that’s your answer about whether they’re the right fit.

What You Actually Need to Do

For a typical dental or medical practice with one server, a few workstations, and 5-15 employees, HIPAA backup compliance comes down to six concrete actions.

First, automate your backups. Manual processes — USB drives, external hard drives carried home on Fridays — create gaps when someone forgets, calls in sick, or goes on vacation. Automated encrypted backups eliminate human error from the equation.

Second, test your restores regularly. A backup you’ve never restored from is a file you hope works. Weekly automated restore testing with documented results is the cleanest way to satisfy the testing requirement in 164.308(a)(7)(ii)(D).

Third, write a contingency plan. It doesn’t need to be 50 pages. A one-to-three page document covering what gets backed up, where it’s stored, who initiates recovery, estimated recovery time, and what happens during downtime. That document, dated and signed, demonstrates compliance.

Fourth, sign a BAA with your backup provider. If they handle ePHI, they need a BAA.

Fifth, keep your documentation current. Update the contingency plan annually or when your systems change. Keep restore test records per regulatory retention requirements.

Sixth, know who has access. Maintain logs of who can access ePHI, and review them periodically. Access control is a separate HIPAA requirement, but it intersects with backup — your backup data needs the same access protections as your live data.

What You Don’t Need

You don’t need a six-figure IT overhaul. You don’t need to hire a HIPAA consultant at $200/hour to tell you what’s written in a publicly available regulation. You don’t need enterprise-grade software designed for 500-bed hospitals.

You need backups that run automatically, restore testing that’s documented, a simple contingency plan, and a BAA with anyone who touches your data. That’s the floor. Everything above it is valuable, but don’t let the pursuit of perfect prevent you from achieving compliant.

“HIPAA compliance for backup isn’t about buying expensive technology. It’s about having a documented, testable process that you can demonstrate works when an auditor asks.”

Get Started

We’ll review your current backup setup against HIPAA requirements and tell you where you stand. Plain-English results.

Schedule a conversation  ·  info@gulfshieldtech.com
Patrick Kelly Founder, Gulf Shield Technologies · Holiday, FL
Managed data protection for small businesses and healthcare practices.

More from the Blog

How It Works

Why We Test Every Backup, Every Week

Most backup services assume your data is safe. We prove it every week with automated restore testing. Here's how it works and why it matters.

By Patrick Kelly · March 2026 · 5 min read
Data Protection

Is Your Business Backup-Proof?

Most businesses have backups. Few have tested them. Three questions that separate businesses that recover from ransomware from those that don't.

By Patrick Kelly · March 2026 · 4 min read