Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

POLICY # 23 ADMINISTRATIVE MANUAL APPROVED BY:

DISASTER RECOVERY PLAN
POLICY # 23
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Establish (and implement as needed) procedures to restore any loss of
data.”
Policy Summary:
Sindecuse Health Center (SHC) must create and document a disaster
recovery plan to recover its information systems if they are impacted by a
disaster. SHC workforce members must receive regular training and
awareness on the disaster recovery plan. All appropriate workforce
members must have a current copy of the plan and an appropriate number
of current copies of the plan must be kept off-site.
Purpose:
This policy reflects SHC’s commitment to implement a disaster recovery
plan to recover its information systems if they are impacted by a disaster.
Policy:
1. SHC must create and document a disaster recovery plan to recover its
information systems if they are impacted by a disaster. The plan must be
reviewed regularly and revised as necessary.
2. At a minimum, the recovery plan must include:







The conditions for activating the plan.
Identification and definition of SHC workforce member
responsibilities.
Resumption procedures (manual and automated) which describe
the actions to be taken to return SHC information systems to
normal operations within required time frames.
The order in which information systems will be recovered.
Notification and reporting procedures.
Procedure(s) for allowing appropriate employees physical access
to SHC facilities so that they can implement recovery procedures
in the event of a disaster.
A maintenance schedule that specifies how and when the plan
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DISASTER RECOVERY PLAN
will be tested, as well as the process for maintaining the plan.
3. Appropriate] workforce members must receive regular training on the
disaster recovery plan.
4. All appropriate workforce members must have a current copy of the
plan and an appropriate number of current copies of the plan must be kept
off-site.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
REQUIRED Implementation Specification for Contingency Plan
Standard
Regulatory
Reference:
45 CFR 164.308(a)(7)(ii)(B)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DISASTER RECOVERY PLAN
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Disaster means an event that causes harm or damage to SHC information
systems. Disasters include but are not limited to: earthquake, fire,
extended power outage, equipment failure, or a significant computer
virus outbreak.
Facility means the physical premises and the interior and exterior of a
building(s).
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Contingency Plan
Data Backup Plan
Emergency Mode Operation Plan
Testing and Revision Procedure
Applications and Data Criticality Analysis
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
Project rough draft template
Project rough draft template
DISASTER RECOVERY TOOLKIT REALITY CHECK CHECKLIST
DISASTER RECOVERY TOOLKIT REALITY CHECK CHECKLIST
F. Incident Report
F. Incident Report
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
Download