AFAIK, here's how the security rule reads:

'http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf'
(http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf)

The standards are based on generally accepted security procedures,
existing industry standards and guidelines, and recommendations
contained in the National Research Council’s 1997 report For The
Record: Protecting Electronic Health Information, Chapter 6. We also
consulted extensively with experts in the field of security throughout
the health care industry. The standards are consistent with generally
accepted security principles and practices that are already in
widespread use. Data backup need not result in increased access to that
data. Backups should be stored in a secure location with controlled
access. The appropriate secure location and access control will vary,
based upon the security needs of the covered entity. For example, a
procedure as simple as locking backup diskettes in a safe place and
restricting who has access to the key may be suitable for one entity,
whereas another may need to store backed-up information off-site in a
secure computer facility. The information provided in security
awareness training heightens awareness of security anomalies and helps
to prevent security incidents.

----

Most experts in the field agree that a small medical or dental practice
can meet *45 CFR Parts 160, 162, and 164, Health Insurance Reform:
Security, Standards; Final Rule *by keeping backups in a secure place
like a locked fireproof safe while hospitals and such will need the
services of a data center.

Where do you get this idea????

All that is needed is a business associate non-disclosure or privacy
agreement document signed by the data back-up service.

Use common sense remember it's a rare gift from above.