DATA BACKUP AND STORAGE POLICY # 40 ADMINISTRATIVE MANUAL APPROVED BY: ADOPTED: SUPERCEDES POLICY: REVISED: REVIEWED: DATE: REVIEW: PAGE: HIPAA Security Rule Language: “Create a retrievable, exact copy of EPHI, when needed, before movement of equipment.” Policy Summary: All EPHI on Sindecuse Health Center (SHC) information systems and electronic media must be regularly backed up and securely stored. Backup and restoration procedures must be regularly tested Purpose: This policy reflects SHC’s commitment to backup and securely store all EPHI on its information systems and electronic media. Policy: 1. Backup copies of all EPHI on SHC electronic media and information systems must be made regularly. This includes both EPHI received by SHC and created within SHC. 2. Information systems and electronic media for which this policy applies include, but are not limited to, computers (both desktop and laptops), floppy disks, backup tapes, CD-ROMs, zip drives, portable hard drives and PDAs. 3. SHC must have adequate backup systems that ensure that all such EPHI can be recovered following a disaster or media failure. These systems must be regularly tested. 4. Backup of EPHI on SHC information systems and electronic media, together with accurate and complete records of the backup copies and documented restoration procedures, must be stored in a secure remote location, at a sufficient distance from SHC facilities to escape damage from a disaster at SHC. 5. Backup copies of EPHI stored at secure remote locations must be accessible to authorized SHC employees for timely retrieval of the information. Page 1 of 3 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. DATA BACKUP AND STORAGE 6. The backup media containing EPHI at the remote backup storage site must be given an appropriate level of physical and environmental protection consistent with the standards applied to EPHI physically at SHC. 7. Backup and restoration procedures for SHC electronic media and information systems containing EPHI must be regularly tested to ensure that they are effective and that they can be completed within a reasonable amount of time. 8. The retention period for backup of EPHI on SHC information systems and electronic media and any requirements for archive copies to be permanently retained must be defined and documented. Scope/Applicability: This policy is applicable to all departments that use or disclose electronic protected health information for any purposes. This policy’s scope includes all electronic protected health information, as described in Definitions below. Regulatory Category: Physical Safeguards Regulatory Type: ADDRESSABLE Implementation Specification for Device and Media Controls Standard Regulatory Reference: 45 CFR 164.310(d)(2)(iv) Definitions: Electronic protected health information means individually identifiable health information that is: Transmitted by electronic media Maintained in electronic media Electronic media means: (1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of Page 2 of 3 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. DATA BACKUP AND STORAGE removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Backup means creating a retrievable, exact copy of data. Restoration means the retrieval of files previously backed up and returning them to the condition they were at the time of backup. Responsible Department: Information Systems Policy Authority/ Enforcement: SHC’s Security Official is responsible for monitoring and enforcement of this policy, in accordance with Procedure # (TBD). Related Policies: Device and Media Controls Media Re-use Disposal Accountability Renewal/Review: This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations. In the event that significant related regulatory changes occur, the policy will be reviewed and updated as needed. Procedures: TBD Page 3 of 3 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved.