Device and Media Control Data Backup and Storage Policy

The purpose of the Device and Media Control Data Backup and Storage Policy is to establish guidelines for appropriately dispose of information systems and electronic media containing ePHI when it is no longer needed.

Creating a retrievable, exact copy of EEPHI, when needed, before movement of equipment

Definitions

Device: For the purposes of this policy devices are considered to be electronic hardware (including but not limited to workstations, personal computers, servers, laptops, copiers, fax machines, and handheld units) with storage capability to record and save ePHI. Storage Media: Including but not limited to disk drives, tapes, floppy disks, CD’s, zip disks, flash cards, USB memory sticks, optical disks, and hard copies.

Covered Entities and Business Associates must ensure that a proper backup is created before any device can be moved from its location. A covered entity should address threats to the confidentiality, integrity and availability of EPHI on equipment being moved and during storage.

Note: Electronically stored information can be lost, damaged, or destroyed if stored improperly or when equipment is moved. in its information security risk assessment.

The Security Officer or its designated representative shall ensure that a retrievable, exact copy of electronic protected health information is created before movement of devices with ePHI.

Prior to moving any device with ePHI the Security Officer must:

1. Verify move has been authorized,
2. Create backup of information,
3. Verify backup and stability of environment where data has been copied,
4. Document responsible party for device while in transit,
5. Document where backup stored (or to whom it was provided)
6. Obtain signature of individual that completed the back up
7. Document backup date and movement date
8. Document restoration date
9. Verify accuracy of restored data
10. Document person responsible for restoration
11. Document system where data has been restored

All media used for backing up ePHI shall be stored in a physically secure environment, such as a secure, off-site storage facility or, if backup media remains on site, in a physically secure location, different from the location of the computer systems it backed up [i.e., in a location that protects the backups from loss or environmental damage].

If an off-site storage facility or backup service is used, a Business Associate Agreement must be used to ensure that the Business Associate will safeguard the ePHI in an appropriate manner. Stored data must be accessible and retrievable at all times.

When reusable media such as tapes are used as the back up media refer to the “Device, Media, and Paper Record Sanitization for Disposal or Reuse” policy.

Documentation of backup testing, or restore logs, will be maintained and capture the date and time the data was restored. Operational procedures for backup, recovery, and testing should be documented and periodically reviewed.

Security Officer shall make all reasonable and prudent efforts to control media entering and leaving the organization. Workforce members shall be trained to recognize that media containing ePHI is handled in a manner to protect the confidentiality of the data contained on it. Media that contains PHI that is no longer useful or useable should be sanitized consistent with the “Device, Media, Disposal or Reuse” policy.

Sanctions

• Failure to back up a system in the absence of a system failure is a violation of this policy and may result in corrective disciplinary action, up to and including termination of employment.
• Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment.
• Violation of this policy and procedures by others, including providers, providers' offices, business associates and partners may result in termination of the relationship and/or associated privileges.