POLICY # 22
DATA BACKUP PLAN
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Establish and implement procedures to create and maintain retrievable
exact copies of EPHI.”
Policy Summary:
All EPHI on Sindecuse Health Center (SHC) information systems and
electronic media must be regularly backed up and securely stored.
Backup and restoration procedures must be regularly tested.
Purpose:
This policy reflects SHC’s commitment to backup and securely store all
EPHI on its information systems and electronic media.
Policy:
1. SHC must have a formal, documented backup plan for its information
systems. At a minimum, the plan must:





Identify information systems and electronic media to be backed
up.
Provide a backup schedule.
Identify where backup media are stored and who may access
them.
Outline restoration procedures.
Identify who is responsible for ensuring the backup of
information systems and electronic media.
2. Backup copies of all EPHI on SHC electronic media and information
systems must be made regularly. This includes both EPHI received by
SHC and created within SHC.
3. Information systems and electronic media for which this policy
applies include, but are not limited to, computers (both desktop and
laptops), floppy disks, backup tapes, CD-ROMs, zip drives, portable hard
drives and PDAs.
4. SHC must have adequate backup systems that ensure that all EPHI can
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DATA BACKUP PLAN
be recovered following a disaster or media failure. These systems must be
regularly tested.
5. Backup of EPHI on SHC information systems and electronic media,
together with accurate and complete records of the backup copies and
documented restoration procedures, must be stored in a secure remote
location, at a sufficient distance from the facility to escape damage from a
disaster at or near SHC.
6. Backup copies of EPHI stored at a secure, remote location must be
accessible to authorized SHC employees for prompt retrieval of the
information.
7. The backup media containing EPHI at the remote backup storage site
must be given an appropriate level of physical and environmental
protection consistent with the standards applied to EPHI physically at
SHC.
8. Restoration procedures for SHC electronic media and information
systems containing EPHI must be regularly tested to ensure that they are
effective and that they can be completed within the time allotted in
SHC’s disaster recovery plan.
9. The retention period for backup of EPHI on SHC information systems
and electronic media and any requirements for archive copies to be
permanently retained must be defined and documented.
10. Risk analysis should be used to determine and document the
maximum amount of loss that may occur if backup of SHC information
systems and electronic media is disrupted. Such analysis should be used
to determine if all appropriate and reasonable measures are being used to
backup SHC information systems and electronic media.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
REQUIRED Implementation Specification for Contingency Plan
Standard
Regulatory
45 CFR 164.308(a)(7)(ii)(A)
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DATA BACKUP PLAN
Reference:
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Access means the ability or the means necessary to read, write, modify, or
communicate data/information or otherwise use any system resource.
Backup means creating a retrievable, exact copy of data.
Restoration means the retrieval of files previously backed up and
returning them to the condition they were at the time of backup.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Contingency Plan
Disaster Recovery Plan
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
DATA BACKUP PLAN
Emergency Mode Operation Plan
Testing and Revision Procedure
Applications and Data Criticality Analysis
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.