Skip to Content

HIPAA - Data Backup Plan 164.308(a)(7)(ii)(A)

455  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.


Action Items:
1) Obtain and review policies and procedures related to data back-up plans. Evaluate and determine whether data back-up procedures exist that establish strategies for creating and maintaining retrievable exact copies of EPHI should the entity experience an emergency or other occurrence. Elements to review may include but are not limited to: How frequently data backups will be conducted; The type of data that will be backed up; How data will be backed up, including the use of encryption and encryption key management, if applicable; The backup data mechanism/solution; How backup data will be secured; Physical location of backup media; Workforce members' roles and responsibilities in the data backup process; How frequently data backups will be reviewed or assessed for verification of media reliability and data integrity
2) Obtain and review documentation demonstrating how data is backed up. Evaluate and determine whether the data backup process creates exact copies of EPHI.
3) Obtain and review documentation demonstrating data backup and restoration tests. Evaluate and determine if test procedures are in accordance with data backup plans and/or procedures; that test results are properly documented; that test results are reviewed and certified by appropriate management; and, if necessary, that corrective actions have been taken.
4) Obtain and review documentation of critical EPHI applications and their assigned criticality levels. Evaluate and determine if application criticality levels were assessed and categorized based on importance to business needs or patient care, in order to prioritize for data backup, disaster recovery, and emergency operations plans.
5) Obtain and review documentation of the procedures regarding how EPHI applications (data applications that store, maintain or transmit EPHI) are identified. Evaluate and determine whether all critical EPHI applications are identified.


Related Documents:
1) Policies and procedures related to data back-up plans.
2) Documentation demonstrating how data is backed up.
3) Documentation demonstrating data backup and restoration tests.
4) Documentation of critical ePHI applications and their assigned criticality levels.
5) Documentation of the procedures regarding how ePHI applications (data applications that store, maintain or transmit ePHI) are identified.


Additional Guidance:
Most covered entities may have backup procedures as part of current business practices. Data Backup plans are an important safeguard for all covered entities, and a required implementation specification.

Sample questions for covered entities to consider:
- What is the EPHI that must be backed up?
- Does the plan include all important sources of data such as patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used?
- Has the organization considered the various methods of backups, including tape, disk, or CD?
- Does the backup plan include storage of backups in a safe, secure place?
- Is the organization’s frequency of backups appropriate for its environment?
Not Rated
Secure Code