In January 2017, a HIPAA-covered Texas clinic learned that someone had stolen an unencrypted external hard drive. The thief took it from a locked closet inside the clinic. The clinic used that hard drive to back up patients’ protected health information (PHI). Consequently, the drive contained seven years’ worth of data, including names, dates of birth, driver’s license numbers, SSNs, medical record numbers, diagnoses, lab test results, and medications.
Where did the clinic go wrong? They had locked the hard drive inside the clinic, but they had not protected it from insiders. That’s why you must examine where you keep your data. You may use a cloud service, a local server, or a physical hard drive. Regardless of where you keep it, HIPAA requires you to protect the confidentiality, integrity, and availability of all PHI in your possession, including backup data.
The best defense against inappropriate data access is to encrypt all devices/systems that house PHI. However, Encryption/decryption is addressable. This means you get to decide if you will use encryption to restrict access to PHI. Is it reasonable and appropriate to use encryption? Most likely, it is. If not, is there an alternative? You will answer these questions during your security risk analysis.