A (Necessary) Primer on Server and Database Backups

Please note that HIPAA regulations require a backup and recovery plan that includes a daily offsite backup of your data.  This requires that at the very least, you should backup your database containing your patient records and store it offsite on a daily basis.  In addition, it is usually a good idea to do monthly full backups of your server and store it at an offsite location in case of a disaster.  These steps will help to get you up and running quickly in case of a disaster.

In order to comply with HIPAA requirements, my specific recommendations are listed below.

Weekly/Monthly Full Server Backups:

At a minimum, I recommend a full server backup on a monthly basis.  Weekly backups are even better, if possible.  In the event of a complete server crash, this, in combination with the latest database backup should have you up and running in a very short time.

Daily Database Backups:

There are several options you can follow to meet this requirement.  Each of these is listed below with a recommended cycle time.

Daily Tape/CD/DVD Backups

If your server has a built in tape drive, you may want to take this route.  In this case, you will have to purchase a minimum of seven tapes, each with the capacity to hold a full daily backup of the database.  Each of these tapes will be labeled with a day of the week like ‘Monday’, ‘Tuesday’ etc.  Each tape will be inserted into the tape drive on the day labeled.  You can set the built in database backup utility of SQL Server to backup to this media every day at a specified time.  This media will then need to be swapped out every day and taken off site.  This will ensure that you have at least 7 days of backups available of the database.

Pros of this approach:

• Once the routine is established, you just have to follow it to ensure that you have the backups done.

Cons of this approach:

• This is the slowest method for backups and takes the longest time
• Tape media (at least in my experience) is not as reliable as using External Hard Drives or CD or DVD media
• This involves the most manual involvement and needs you to swap out and take the media off site every day
• As the backup size grows, you could run into space issues on the media, forcing you to switch to higher capacity media such as external hard drives etc.
• Tape drives are expensive and add to the initial investment

Daily External Hard Drive/Thumb Drive backups

If your server has available USB slots, you may be able to attach external compact USB hard drives or high capacity thumb drives to use as the backup media.  This is easier to use and you can create folders in the drive that each day of the week backs up to.  You can do the backups using the built in SQL Server backup utility.

Pros of this approach:

·        Easier to setup and use and easier to carry in your pocket

·        Once the routine is established, you just need to follow the schedule

·        More reliable than tape backups and as reliable as CD or DVD media

Cons of this approach:

• You still need to remember to swap out the drives daily
• Though the media is more reliable, it is still susceptible to failure
• Though your backup may physically be off site, you are opening yourself up to the possibility of misplacing or losing the backup media (a problem with HIPAA Regulations)

Automated Online Backups

This is the third option.  Here you install a client software on your machine that automatically launches a backup to a remote server through the web.  The backup software should be carefully picked to make sure that it meets the encryption requirements for HIPAA.

Pros of this approach:

• The easiest to setup and use – no media to carry, no need to remember to swap anything.
• The backup is physically located on a server hundreds of miles away, insulating your data from a regional disaster. 
• The most reliable of the 3 options as far as media stability goes.
• The newest option here is the ‘Open File’ backup that can backup your database file in open mode to an offsite location.  This means you don’t have to take a copy of your local backup file offsite, but actually send a backup of the open file offsite, maybe more than once a day.  This is currently the last word in backups.

Cons of this approach:

• The initial backups will take hours to run.  With the right software, the subsequent backups should run in a few minutes a day using 'Bit Patching' or similar technology.
• In the event of a disaster, you will need to contact the server and go through a download process that will again take a few hours.

What do I recommend?

It is my experience that you can never have too much redundancy in data backups.  I recommend using at least 2 of the above 3 methods, with automated online backups being one of them.  This will serve as your ‘safety net’ in case your primary local backup method fails.  The loss of even a small amount of data can be a significant blow to a doctors’ office, resulting in weeks of catch up work.  It is far better to insure against that by putting in redundancy in your backup plan, than to fret about it after the fact.

Naveen V.

www.emr-electronicmedicalrecords.com

DoctorsPartner EMR and PM