POLICY # 22 DATA BACKUP PLAN ADMINISTRATIVE MANUAL APPROVED BY: ADOPTED: SUPERCEDES POLICY: REVISED: REVIEWED: DATE: REVIEW: PAGE: HIPAA Security Rule Language: “Establish and implement procedures to create and maintain retrievable exact copies of EPHI.” Policy Summary: All EPHI on Sindecuse Health Center (SHC) information systems and electronic media must be regularly backed up and securely stored. Backup and restoration procedures must be regularly tested. Purpose: This policy reflects SHC’s commitment to backup and securely store all EPHI on its information systems and electronic media. Policy: 1. SHC must have a formal, documented backup plan for its information systems. At a minimum, the plan must: Identify information systems and electronic media to be backed up. Provide a backup schedule. Identify where backup media are stored and who may access them. Outline restoration procedures. Identify who is responsible for ensuring the backup of information systems and electronic media. 2. Backup copies of all EPHI on SHC electronic media and information systems must be made regularly. This includes both EPHI received by SHC and created within SHC. 3. Information systems and electronic media for which this policy applies include, but are not limited to, computers (both desktop and laptops), floppy disks, backup tapes, CD-ROMs, zip drives, portable hard drives and PDAs. 4. SHC must have adequate backup systems that ensure that all EPHI can Page 1 of 4 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. DATA BACKUP PLAN be recovered following a disaster or media failure. These systems must be regularly tested. 5. Backup of EPHI on SHC information systems and electronic media, together with accurate and complete records of the backup copies and documented restoration procedures, must be stored in a secure remote location, at a sufficient distance from the facility to escape damage from a disaster at or near SHC. 6. Backup copies of EPHI stored at a secure, remote location must be accessible to authorized SHC employees for prompt retrieval of the information. 7. The backup media containing EPHI at the remote backup storage site must be given an appropriate level of physical and environmental protection consistent with the standards applied to EPHI physically at SHC. 8. Restoration procedures for SHC electronic media and information systems containing EPHI must be regularly tested to ensure that they are effective and that they can be completed within the time allotted in SHC’s disaster recovery plan. 9. The retention period for backup of EPHI on SHC information systems and electronic media and any requirements for archive copies to be permanently retained must be defined and documented. 10. Risk analysis should be used to determine and document the maximum amount of loss that may occur if backup of SHC information systems and electronic media is disrupted. Such analysis should be used to determine if all appropriate and reasonable measures are being used to backup SHC information systems and electronic media. Scope/Applicability: This policy is applicable to all departments that use or disclose electronic protected health information for any purposes. This policy’s scope includes all electronic protected health information, as described in Definitions below. Regulatory Category: Administrative Safeguards Regulatory Type: REQUIRED Implementation Specification for Contingency Plan Standard Regulatory 45 CFR 164.308(a)(7)(ii)(A) Page 2 of 4 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. DATA BACKUP PLAN Reference: Definitions: Electronic protected health information means individually identifiable health information that is: Transmitted by electronic media Maintained in electronic media Electronic media means: (1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Backup means creating a retrievable, exact copy of data. Restoration means the retrieval of files previously backed up and returning them to the condition they were at the time of backup. Responsible Department: Information Systems Policy Authority/ Enforcement: SHC’s Security Official is responsible for monitoring and enforcement of this policy, in accordance with Procedure # (TBD). Related Policies: Contingency Plan Disaster Recovery Plan Page 3 of 4 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. DATA BACKUP PLAN Emergency Mode Operation Plan Testing and Revision Procedure Applications and Data Criticality Analysis Renewal/Review: This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations. In the event that significant related regulatory changes occur, the policy will be reviewed and updated as needed. Procedures: TBD Page 4 of 4 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved.