DATA BACKUP AND STORAGE
POLICY # 40
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Create a retrievable, exact copy of EPHI, when needed, before
movement of equipment.”
Policy Summary:
All EPHI on Sindecuse Health Center (SHC) information systems and
electronic media must be regularly backed up and securely stored.
Backup and restoration procedures must be regularly tested
Purpose:
This policy reflects SHC’s commitment to backup and securely store all
EPHI on its information systems and electronic media.
Policy:
1. Backup copies of all EPHI on SHC electronic media and information
systems must be made regularly. This includes both EPHI received by
SHC and created within SHC.
2. Information systems and electronic media for which this policy
applies include, but are not limited to, computers (both desktop and
laptops), floppy disks, backup tapes, CD-ROMs, zip drives, portable hard
drives and PDAs.
3. SHC must have adequate backup systems that ensure that all such
EPHI can be recovered following a disaster or media failure. These
systems must be regularly tested.
4. Backup of EPHI on SHC information systems and electronic media,
together with accurate and complete records of the backup copies and
documented restoration procedures, must be stored in a secure remote
location, at a sufficient distance from SHC facilities to escape damage
from a disaster at SHC.
5. Backup copies of EPHI stored at secure remote locations must be
accessible to authorized SHC employees for timely retrieval of the
information.
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DATA BACKUP AND STORAGE
6. The backup media containing EPHI at the remote backup storage site
must be given an appropriate level of physical and environmental
protection consistent with the standards applied to EPHI physically at
SHC.
7. Backup and restoration procedures for SHC electronic media and
information systems containing EPHI must be regularly tested to ensure
that they are effective and that they can be completed within a reasonable
amount of time.
8. The retention period for backup of EPHI on SHC information systems
and electronic media and any requirements for archive copies to be
permanently retained must be defined and documented.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Physical Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Device and Media
Controls Standard
Regulatory
Reference:
45 CFR 164.310(d)(2)(iv)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DATA BACKUP AND STORAGE
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Backup means creating a retrievable, exact copy of data.
Restoration means the retrieval of files previously backed up and
returning them to the condition they were at the time of backup.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Device and Media Controls
Media Re-use
Disposal
Accountability
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.