Medical Practice Data Backup: HIPAA Requirements Explained

by Jon Lober | NOC Technology

How to Keep Your Practice's Data Safe

Picture a Monday morning in your practice. The front desk is already backed up with check-ins, your EHR system is loading slowly, and then it stops loading entirely. The server is down. Patient records, appointment schedules, billing data, all inaccessible. How long before you can see patients? Hours? Days? And when the system comes back, will the data be intact?


For most medical practices, the honest answer to that last question is: we’re not sure. In 2025, 605 healthcare data breaches were reported to HHS, affecting 44.3 million Americans. The average cost of a healthcare data breach reached $10.22 million. More than one-fifth of HIPAA enforcement actions included penalties specifically for inadequate backup procedures.


HIPAA’s backup requirements aren’t just about having a copy of your data somewhere. They’re about having a verified, recoverable, encrypted copy, and being able to prove it. Here’s what the rules actually require and what a compliant strategy looks like for a St. Louis medical practice.


What HIPAA Actually Requires for Data Backup


HIPAA’s backup requirements come from two sections of the Security Rule:

The Contingency Plan Standard (45 CFR § 164.308(a)(7)) requires covered entities to establish policies and procedures for responding to an emergency or other occurrence that damages systems containing ePHI.


Specifically, it requires:

  • A data backup plan: procedures to create and maintain retrievable exact copies of ePHI


  • A disaster recovery plan: procedures to restore lost data


  • An emergency mode operation plan: procedures to enable critical business processes while operating under emergency conditions


  • Testing and revision procedures: procedures for periodic testing and revision of contingency plans


Device and Media Controls (45 CFR § 164.310(d)(2)(iv)) requires that practices create a retrievable exact copy of ePHI before moving equipment containing that data. The phrase “retrievable exact copy” is load-bearing; it means verified, complete, and accessible when needed. A backup that hasn’t been tested isn’t a “retrievable exact copy.” It’s a guess.


The 3-2-1-1-0 Backup Rule for Healthcare


The original 3-2-1 backup rule has been a data protection standard for decades: keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite. For most businesses, this was enough.


For healthcare practices in 2026, ransomware has changed the calculation. Ransomware can encrypt any backup that’s connected to your network, including your “offsite” cloud backup if it’s accessible from an infected system. This is why the industry has evolved toward 3-2-1-1-0:


  • 3 copies of your data


  • 2 different types of media


  • 1 copy stored offsite


  • 1 copy that is air-gapped or immutable (cannot be modified or deleted, even by ransomware)


  • 0 verified errors — meaning backups are regularly tested and confirmed recoverable


Immutable backups are the key addition. An immutable backup—whether it’s a WORM (write-once, read-many) tape, an object storage bucket with immutability enabled, or a cloud service with versioning protection—cannot be encrypted, modified, or deleted by ransomware. Even if every other system in your practice is compromised, the immutable backup survives.


A practical 3-2-1-1-0 implementation for a St. Louis medical practice: a local backup on your server or NAS device (copy 1, media type 1), a cloud backup with versioning to a HIPAA-compliant provider (copy 2, media type 2, offsite), and an immutable cloud backup or air-gapped external drive stored off-network (copy 3 + the immutable copy). The “zero errors” requirement means you test restores regularly; more on that below.


Encryption Requirements for ePHI Backups


All backups containing ePHI must be encrypted, both the data at rest (stored on a drive, tape, or cloud storage) and the data in transit (when it’s being transferred to the backup destination). AES-256 is the current standard.

This applies to every backup medium: external hard drives, NAS devices, cloud backups, tape, USB drives. If a backup drive containing unencrypted patient records is lost or stolen, that’s a reportable HIPAA breach, the kind that triggers HHS notification and potentially patient notification.


One critical detail: encryption keys must be stored separately from the data they protect. If your backup encryption key is on the same server as the encrypted backup, and that server is compromised, both the data and the key are gone. Store encryption keys in a separate password manager or key management system.


The proposed 2026 HIPAA Security Rule updates remove the “addressable” vs. “required” distinction for encryption. Previously, encryption was technically “addressable,” which some practices interpreted as optional if they documented a reason not to implement it. The new rules make encryption mandatory for ePHI—in backups and elsewhere. If your practice is using that “addressable” carve-out as a reason to skip backup encryption, close that gap now.


The 2026 HIPAA Security Rule Updates That Affect Backup


The January 2025 proposed HIPAA Security Rule updates, expected to be finalized in 2026, introduce several changes that directly affect backup requirements:


  • Mandatory encryption for all ePHI: the addressable/required distinction is eliminated


  • Mandatory annual testing of backup restoration procedures: testing must be documented


  • A 72-hour recovery time objective (RTO) for critical systems: practices must be able to restore essential systems within 72 hours of a disruption


  • Mandatory documentation of backup verification results: you need a paper trail showing backups are working


The 72-hour RTO requirement is significant. Many practices haven’t established a formal recovery time objective—they just know they need to “get systems back up.” The new rules require you to define the target and demonstrate you can meet it. For practices whose EHR is critical to patient care, this puts real urgency on backup strategy and testing.


Testing: The Part Most Practices Skip


Having backups is different from having working backups. HIPAA’s contingency plan standard explicitly requires testing and revision of your backup and recovery procedures. In practice, most small medical practices configure backup software once and never verify the restores actually work—until a crisis hits.


When the crisis hits, they discover the backups are corrupted. Or incomplete. Or they restore successfully but take 14 hours instead of the expected 2. Or the backup has been failing silently for six months and no one received the error notification.


What a real testing program looks like:

  • Monthly: restore a sample of files from backup to verify data integrity. This takes less than an hour and confirms the backup is actually working.


  • Quarterly: restore a full application or database from backup to a test environment. Confirm that the restored system is functional, not just that the files exist.


  • Annually: conduct a full disaster recovery drill. Simulate a system failure and time the full restoration. Compare against your recovery time objective.


  • Always: document the results. A test that isn't documented didn't happen, as far as an auditor is concerned.


Common Backup Mistakes Medical Practices Make


  • Relying on a single backup location: a fire, flood, or ransomware attack takes it out


  • Not encrypting backups: an unencrypted backup of patient records is a breach waiting to happen if the media is ever lost


  • Storing backups in the same physical location as primary data: protects you from drive failure, not from disaster


  • Never testing restores: the most common way to discover your backup doesn't work is when you actually need it


  • Incomplete coverage: backing up the EHR server but forgetting email archives, billing systems, or data on individual workstations


  • No documented recovery time objective: you can't meet a target you haven't defined


  • No staff training on recovery procedures: if the person who knows how to restore from backup is on vacation when the server fails, that's a problem


What a Compliant Backup Strategy Actually Looks Like


Here’s a practical example for a 5-physician practice in the St. Louis area:

  • Primary copy: EHR and practice management data on an on-premise server with automated daily backup to a local NAS device


  • Second copy: Local NAS device with immutable snapshots enabled — ransomware cannot modify or delete these snapshots


  • Third copy: Encrypted cloud backup to a HIPAA-compliant provider (Veeam, Datto, Acronis, or similar) with 90-day versioning, network-isolated from the primary environment


  • Monthly: automated restore test of a sample dataset with results logged to a shared document


  • Annual: full disaster recovery drill with documented results and comparison against the 72-hour RTO target


  • Encryption: AES-256 on all copies; encryption keys stored in a separate password management system, not on the backed-up systems


  • Documentation: written backup plan, test results, and annual review incorporated into the HIPAA security risk analysis


This setup satisfies the 3-2-1-1-0 rule, meets the proposed 2026 encryption and testing requirements, and gives you documentation you can hand to an auditor. It’s not the cheapest setup, but it’s appropriate for a practice whose EHR going down for 72+ hours has direct patient care implications.


Finding the Right IT Partner for HIPAA Backup Compliance


Your backup strategy is only as good as the team implementing and monitoring it. An IT partner who understands HIPAA backup requirements should be able to design a compliant 3-2-1-1-0 strategy for your practice, configure encryption on all backup copies, set up automated testing with logged results, and produce written documentation you can show an auditor.


If your current IT provider can’t produce a written backup plan and documented test results on request, that’s a gap worth addressing. Not because an audit is necessarily coming—but because the first time you’ll know your backup doesn’t work is when you need it to.


We manage HIPAA-compliant backup and disaster recovery for medical practices across the Greater St. Louis area. See what’s included on our managed IT for medical and dental practices page or check our pricing for a transparent breakdown of what’s included.


Frequently Asked Questions

Does HIPAA require a specific backup frequency? +
HIPAA doesn't specify a required frequency — it requires that you create and maintain retrievable exact copies of ePHI, and that your contingency plan defines your backup procedures. Best practice for most medical practices is daily automated backups for critical systems like EHR and billing. More frequent backups (hourly or continuous replication) may be appropriate if your practice generates high volumes of data or has a low tolerance for data loss. Whatever frequency you choose, document it and stick to it.
Can we use a consumer cloud service like Dropbox or Google Drive for patient data backups? +
No. Consumer cloud services don't offer Business Associate Agreements (BAAs), which are required before storing or transmitting patient health information with any third-party vendor. Using Dropbox or a personal Google Drive account to store patient data is a HIPAA violation regardless of encryption settings. HIPAA-compliant backup options include business-grade services that offer BAAs, like Veeam with compliant storage, Datto, Acronis Cyber Backup, or Microsoft Azure Backup with a signed BAA.
What is the difference between a backup and a disaster recovery plan? +
A backup is a copy of your data. A disaster recovery plan is the documented process for how your practice restores operations when something goes wrong — which systems get restored first, in what order, by whom, and within what timeframe. HIPAA requires both. A backup without a recovery plan is like having a spare tire without knowing how to change it. The disaster recovery plan defines your recovery time objective (how long restoration should take) and recovery point objective (how much data loss is acceptable), and documents the specific steps staff follow during a crisis.
How long must we keep backup copies of patient records? +
HIPAA requires retention of ePHI for six years from the date of its creation, or the date it was last in effect — whichever is later. Missouri state law requires medical records to be retained for a minimum of 10 years for adult patients. Apply the longer standard: your backup retention policy should ensure patient records are recoverable for at least 10 years. This doesn't mean keeping daily backups for 10 years — it means your retention policy allows you to restore a complete patient record if needed within that window.
What happens if we suffer a ransomware attack and can't restore from backup? +
A ransomware attack that destroys or encrypts your only backups is a reportable HIPAA breach if patient data was compromised. You're looking at HHS notification, potential patient notification, and possible penalties — on top of the operational crisis of not having working systems. This is exactly why the 3-2-1-1-0 rule includes an immutable copy. If your cloud backup is connected to your network, ransomware can reach it. An air-gapped or immutable backup is the last line of defense that ransomware cannot touch.
Do we need to encrypt backups stored in the cloud? +
Yes. All backups containing ePHI must be encrypted, including cloud backups — both while being transferred to the cloud (in transit) and while stored there (at rest). The proposed 2026 HIPAA Security Rule updates make encryption mandatory, removing the previous "addressable" designation that some practices interpreted as optional. Use AES-256 encryption and store your encryption keys separately from the encrypted data. Most HIPAA-compliant backup platforms handle this by default, but verify the configuration with your IT provider.
How do we document HIPAA backup compliance for an audit? +
Your HIPAA backup documentation should include: (1) a written data backup plan describing your backup frequency, locations, media types, and responsible parties; (2) a documented disaster recovery plan with recovery time and recovery point objectives; (3) records of backup testing — dates, what was tested, results, and who conducted the test; (4) documentation of your backup encryption configuration; (5) vendor agreements (BAAs) for any cloud backup service. This documentation should be reviewed and updated at least annually as part of your HIPAA security risk analysis.
tax preparation data safety

IRS Data Security Requirements for Tax Preparers

By Jon Lober April 29, 2026
Every Missouri tax preparer must meet IRS Publication 4557 and FTC Safeguards Rule requirements. Here's what the Security Six and a WISP actually require.
Healthcare HIPAA compliant email

HIPAA-Compliant Email for Healthcare Practices

By Jon Lober April 28, 2026
Standard Gmail and Outlook are not HIPAA compliant. Learn what healthcare practices in St. Louis need to configure for compliant email, including proper setup.

Complete Guide to IT Services for Law Firms

By Jon Lober April 28, 2026
What law firms need from IT support in 2026 - from ethics compliance to e-discovery. Learn how St. Louis firms are protecting client data while staying productive.
More Articles