HIPAA - Disaster Recovery Plan 164.308(a)(7)(ii)(B)

Overview:
Establish (and implement as needed) procedures to restore loss of data.

Action Items:
1) Obtain and review documentation related to a disaster recovery plan. Review and determine if appropriate procedures for restoring any loss of data has been incorporated into the disaster recovery plan.
2) Obtain and review procedures for restoring lost data. Evaluate if the procedures include all important sources of data. Elements to review may include but are not limited to: Workforce members' roles and responsibilities in the process of restoring lost data; Determination of what data will be restored; Step-by-step process of how data will be restored; Identify occurring events (e.g., disruption, compromise, failure) that require data restoration; Timeframe of data restoration; How frequently data restorations will be tested or assessed for verification of media reliability and data integrity
3) Obtain and review documentation of data restore tests and test results. Evaluate and determine if test procedures are in accordance with data restore plans and/or procedures; that test results are properly documented; that test results are reviewed and certified by appropriate management; and, if necessary, corrective actions have been taken.

Related Documents:
1) Documentation related to a disaster recovery plan.
2) Documented procedures for restoring lost data.
3) Documentation of data restore tests and test results.

Additional Guidance:
Some covered entities may already have a general disaster plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover EPHI.

Sample questions for covered entities to consider:
- Does the disaster recovery plan address issues specific to the covered entity’s operating environment?
- Does the plan address what data is to be restored?
- Is a copy of the disaster recovery plan readily accessible at more than one location?