This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Contingency Plan – Data Backup Plan

Reference: 45 CFR § 160.308(a)
Last Updated: April 24, 2024


Goal: Establish and implement procedures to create and maintain identical copies of ePHI. A medium other than the primary systems shall be available to retrieve the copies.

The purpose of this policy is to delineate organizational procedures used to regularly back up and securely store ePHI.


Procedure: The Security Manager must ensure timely response to potential threats. It is also critical that the following procedures take place whenever a potential is identified.

  • The computer system shall be backed up on a daily basis.
    • Systems have been programmed to perform back-ups automatically.
    • Back-ups are presently protected by physical and software security in order to prevent unauthorized disclosures.
    • Back-ups are stored in off-site locations and access to them is limited to the Security Manager, the System Manager and selected maintenance personnel.
    • Data backed-up shall be tested every three months, or after changes in hardware or software have been implemented, to ensure functionality.
    • When a used backup tape is no longer needed the Security Manager or its designated representative will destroy the contents of the backup tape completely and will dispose of the tape.
  • Secondary Storage/Archival of File Systems
    • File system backups shall be performed to assist in the restoration process after a security incident, system crash, hardware/software failure or catastrophic failure.
    • File system backups shall be transferred onto removable media that can be stored separately.
    • A backup solution shall adequately copy file systems and databases files onto storage media. Backup and recovery solutions will allow for the complete restoration of the systems prior to a catastrophic failure with little loss of data.
    • Individual backup solutions will have the capability to verify that data stored on media is accurate and complete. Errors will be logged and reported to the Security Manager for corrective action.
    • Media used for storage will be serviced and verified to be effective at regular intervals.
  • Documentation and Source Code Libraries
    • Documentation of hardware/software configurations and diagrams shall be maintained to allow for resumption of operations after a hardware/software failure. Copies of documentation shall be complete and up-to-date.
    • A hardcopy of software source code, libraries, and diagrams should be maintained for disaster recovery activities. Storage media containing installed software should also be maintained.
    • Documentation and storage media shall be up-to-date and clearly identified.
  • Off-site storage of archives
    • Copies of documentation, procedures, restoration plans, maintenance agreements and file system archives shall be maintained off-site to allow for the resumption of operations after a catastrophic failure.
    • All copies should be complete and up-to-date.

Adequate security safeguards shall be used to prevent unauthorized access to information while in off-site storage.

Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram