The Security Rule applies to protected patient health information in electronic formats. This is protected patient information either transmitted by electronic media or maintained on electronic media. Covered entities that maintain or transmit protected health information are required by the Security Rule (see 45 C.F.R. §164.306) to:
• Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
• Ensure compliance with this subpart by its workforce.

According to the HIPAA regulations, Covered Entities are allowed to use a flexible approach when implementing the above requirements. Specifically, Covered Entities may use any security measures that allow the Covered Entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

In deciding which security measures to use, a covered entity must take into account the following factors:
• The size, complexity, and capabilities of the covered entity.
• The covered entity’s technical infrastructure, hardware, and software security capabilities.
• The costs of security measures.
• The probability and criticality of potential risks to electronic protected health information.

With this information in mind, organizations must adhere to the Security Rule’s standards and specifications for backing up and safekeeping electronic data. Covered Entities also need to institute a contingency plan to be prepared for an emergency – such as a natural disaster or computer virus attack – that results in a major data loss.

The contingency plan must:
• Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information (Administrative Safeguards - §164.308(a)(7)(i)).

This contingency plan must be implemented as follows:
• Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
• Disaster recovery plan (Required). Establish and implement procedures to restore any loss of data.
• Emergency mode operation plan (Required). Establish and implement procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
• Covered Entities must also have certain physical safeguards, such as facility access controls. They must:
• Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed (Physical Safeguards - §164.310(a)(1)).
• The contingency operations should establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency (§164.310(a)(2)(i)).
• In addition, Covered Entities must implement specific technical safeguards (§164.312) to, among other things:
• Limit access to and electronic protected health information.
• Encrypt and decrypt electronic protected health information.
• Put into place audit controls that record and examine activity in information systems that contain or use electronic protected health information.
• Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

These regulations are in place to ensure that healthcare organizations properly secure their Electronic Protected Health Information (EPHI). Based on these directives, an organization should evaluate their system and then implement a secure backup, archiving and recovery solution to comply with HIPAA standards.