HIPAA - Data Backup and Storage 164.310(d)(2)(iv)

Overview:
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Action Items:
1) Obtain and review policies and procedures related to data backup and storage procedures. Evaluate the content relative to the specified performance criteria to determine whether policies and procedures cover creating a retrievable exact copy of electronic protected health information, when needed, before movement of equipment. Identify when ePHI data backups will be conducted; The type of data that will be backed up; How data will be backed up, including the use of encryption and encryption key management, if applicable; Backup data mechanism/solution; How backup data is secured; Identification of how and where backup ePHI data is physically stored and secured; Workforce members’ roles and responsibilities in the data backup and storage process; How frequently data backups are reviewed or assessed for verification of media reliability and data integrity.
2) Obtain and review documentation demonstrating how EPHI data is backed up for equipment being moved to another location. Evaluate and determine if EPHI data backup process is appropriate and is in accordance with the entity's data backup plan and/or procedures.
3) Obtain and review documentation demonstrating how EPHI data backups for moved equipment are stored. Evaluate and determine if the backup data is stored in a location with minimum vulnerabilities and appropriate safeguards and that the confidentiality, integrity, and availability of the EPHI data is protected from security threats.
4) Obtain and review documentation demonstrating the restoration of EPHI data backups for moved equipment. Evaluate and determine if the procedure is in accordance with backup plans and/or procedures; if failures of data backups and restorations are properly documented; and if necessary, what corrective actions have been taken.

Related Documents:
1) Policies and procedures related to data backup and storage procedures.
2) Documentation demonstrating how ePHI data is backed up for equipment being moved to another location.
3) Documentation demonstrating how ePHI data backups for moved equipment are stored.
4) Documentation demonstrating the restoration of ePHI data backups for moved equipment.

Additional Guidance:
This specification protects the availability of EPHI and is similar to the Data Backup Plan implementation specification for the contingency plan standard of the Administrative Safeguards, which requires covered entities to implement procedures to create and maintain retrievable exact copies of EPHI. Therefore, both implementation specifications may be included in the same policies and procedures. A covered entity may choose to backup a hard drive before moving to prevent loss of EPHI when the existing data backup plan does not provide for local hard drive backups. Another option may be to limit where computer users store their files. For example, larger organizations may implement policies that require users to save all information on the network, thus eliminating the need for a hard drive back up prior to the move. Either of these options, and others, may be considered reasonable and appropriate solutions, depending on the covered entity’s environment.

Sample questions for covered entities to consider:
- Is a process implemented for creating a retrievable, exact copy of EPHI, when needed, before movement of equipment?
- Does the process identify situations when creating a retrievable, exact copy of EPHI is required and situations when not required before movement of equipment?
- Does the process identify who is responsible for creating a retrievable, exact copy of EPHI before movement of equipment?