Skip to main content
Toggle Menu of ADA WebSites
ADA Websites
Toggle Search Area
Toggle Menu

Data Backup and Recovery

Protect Your Patients, Protect Yourself
Disk drive
As dental offices look to store greater amounts of their practice information electronically, a reliable and secure backup method is crucial.

The HIPAA Security Rule, which took effect in April 2003, addresses electronic protected health information (e-PHI). It established national standards to protect individuals’ e-PHI and requires the implementation of administrative, physical, and technical safeguards.

All HIPAA-covered dental practices must have a data backup plan as part of their contingency plans. The data backup plan must include “procedures to create and maintain retrievable exact copies of electronic protected health information.” A covered practice must also be able to restore any loss of data. You may wish to find a service that backs up your data and encrypts it both at rest and in transit. Make sure the encryption methodology meets HIPAA requirements for “secure” e-PHI.

HIPAA requires encryption if after a risk assessment, the covered dental practice has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of its e-PHI. If the dental practice chooses not to encrypt data, it must document why not, and must implement an equivalent alternative that is reasonable and appropriate.

Storing a backup offsite can help ensure that, in the event of a natural disaster (fire, tornado, flood, etc.) or theft, electronic dental records will be recoverable. Online backups with automatic incremental backups can assist with maintaining records. If a dental office needs to recover data, the process should be quick and secure and should enable the office to resume normal operations with minimal disruption to patients and the practice.

HIPAA requires written procedures related to the data backup plan and the disaster recovery plan, as well as procedures to enable continuation of critical business processes to protect ePHI security while operating in emergency mode. In addition, a covered dental practice must either implement procedures for periodic testing and revision of contingency plans, or document why such procedures are not reasonable and appropriate and implement an equivalent alternative that is reasonable and appropriate.

Penalties for failure to comply with HIPAA standards can be severe. Penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of up to $1.5 million per year for violations of an identical provision.

If you use a service provider to securely back up your ePHI, make sure you have an up-to-date, HIPAA-compliant business associate agreement in place. Consult with your service provider and make sure that the data is encrypted both at rest and in transit, and that they are meeting HIPAA-compliant standards. More information on HIPAA can be found on the U.S. Department of Health & Human Services (HHS) website. You can also access a security risk assessment tool developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS Office for Civil Rights.