Could Your Practice Pass a HIPAA Audit on Backups? 10-Point Self-Check

Audits rarely fail because a practice had no backups. They fail because the practice could not prove the backups were secure, retained, and recoverable. HIPAA is a documentation regime as much as a technical one, so the difference between passing and scrambling is almost always a folder of evidence you can hand over in minutes.

This is a general educational self-check, not legal advice and not a substitute for a formal HIPAA Security Rule risk analysis. HIPAA also does not "certify" any software product, so be wary of any vendor implying otherwise. Work through the ten questions below the way an auditor effectively would: for each, the goal is to answer "yes, and here is the document."

For the bigger picture on whether moving backups to the cloud even fits HIPAA, start with Is Cloud Backup HIPAA Compliant?.

1. Do you have a signed Business Associate Agreement with your backup provider?

No signed BAA means this point fails outright. Any vendor that stores, transmits, or can access your patients' electronic protected health information (ePHI) is a business associate, and HIPAA requires a written agreement defining their safeguards and breach obligations.

What auditors look for: an executed, current BAA on file for every backup and storage vendor. How to pass: keep signed BAAs in one place and review them when contracts renew. DDSArk signs a HIPAA BAA with covered practices.

2. Is your backup data encrypted in transit and at rest?

It should be both. Auditors expect ePHI to be unreadable to anyone who intercepts it on the wire or steals the storage medium.

What auditors look for: evidence of strong encryption (for example, TLS in transit and AES-256 at rest) and documentation of how keys are managed. How to pass: confirm your provider encrypts end-to-end and note it in your security documentation. DDSArk applies HIPAA-aligned encryption in transit and at rest.

3. Are access controls and MFA enforced on the backup system?

Yes is the only passing answer. Encryption protects the data; access controls decide who can touch it.

What auditors look for: unique user accounts, least-privilege roles, and multi-factor authentication on any console that can view, delete, or restore backups. How to pass: remove shared logins, enable MFA for every administrator, and keep an up-to-date list of who has access and why.

4. Does the backup system produce audit logs?

Yes. The HIPAA Security Rule expects mechanisms to record and examine activity in systems that contain ePHI.

What auditors look for: tamper-resistant logs showing who accessed, changed, deleted, or restored data, and evidence someone reviews them. How to pass: enable logging, retain logs, and schedule periodic reviews so anomalies surface before an auditor finds them.

5. Do you keep an immutable, off-site copy?

Yes. A backup that ransomware or a disgruntled user can encrypt or delete is not a reliable safeguard.

What auditors look for: at least one geographically separate copy that cannot be altered or deleted within its retention window (often called immutability or object-lock). How to pass: ensure your provider stores an off-site, immutable copy. DDSArk maintains immutable off-site copies.

6. Is your retention period documented and does it meet your state's record law?

Yes, in writing. Backups are useless if you discard data the law still requires you to hold.

What auditors look for: a written retention policy reconciling HIPAA documentation requirements with your state's dental record laws. HIPAA requires certain documentation be retained for six years , but state record-retention rules for patient charts frequently run longer. How to pass: document the longest applicable period and configure retention to match. See How Long Must Dental Practices Keep Patient Records? for state-by-state context.

7. Have you actually tested a restore — recently and on paper?

This is the question that fails the most practices. Owning backups is not the same as proving you can recover from them.

What auditors look for: a dated record of a successful restore test, including what was restored and how long it took. How to pass: run scheduled restore tests and log every one. The Quarterly Restore Test Every Office Should Run gives you a repeatable procedure and a record to keep.

8. Does your written risk analysis actually cover backups?

Yes — explicitly. A risk analysis that ignores how backups are stored, encrypted, and accessed leaves an obvious hole.

What auditors look for: a documented, periodically updated risk analysis that names backup systems as part of your ePHI environment, with identified risks and mitigations. How to pass: when you update your risk analysis, include backup storage, transmission, vendor access, and recovery as in-scope assets.

9. Do you have a breach-notification plan that includes backup data?

Yes. Knowing what to do before an incident is the difference between a managed response and a penalty.

What auditors look for: a written incident-response and breach-notification procedure with defined timelines and responsibilities. The cost of getting this wrong is real — Indiana's Westend Dental settled for $350,000 in part over a delayed breach notification . How to pass: document who investigates, who notifies, and on what timeline, and rehearse it.

10. Is your workforce trained on backup and ePHI handling?

Yes, and documented. Most breaches trace back to people, not technology.

What auditors look for: records that staff received and acknowledged training relevant to data protection, including backups and recovery roles. How to pass: train new hires, refresh annually, and keep signed acknowledgments on file.

Scoring your self-check: Ten yeses with documents attached means you are in strong shape. Any "no" — or any "yes, but I can't find the proof" — is exactly the gap an auditor would flag. The fix is rarely new software; it is closing the documentation and testing loop.

If this surfaced gaps, the most leveraged next step is usually the restore test, because it is the most commonly missing piece of evidence and the one that matters most when you actually need your data back.