The purpose of the Device and Media Control Data Backup and Storage Policy is to establish guidelines for appropriately dispose of information systems and electronic media containing ePHI when it is no longer needed.
Creating a retrievable, exact copy of EEPHI, when needed, before movement of equipment
Device: For the purposes of this policy devices are considered to be electronic hardware (including but not limited to workstations, personal computers, servers, laptops, copiers, fax machines, and handheld units) with storage capability to record and save ePHI. Storage Media: Including but not limited to disk drives, tapes, floppy disks, CDโs, zip disks, flash cards, USB memory sticks, optical disks, and hard copies.
Covered Entities and Business Associates must ensure that a proper backup is created before any device can be moved from its location. A covered entity should address threats to the confidentiality, integrity and availability of EPHI on equipment being moved and during storage.
Note: Electronically stored information can be lost, damaged, or destroyed if stored improperly or when equipment is moved. in its information security risk assessment.
The Security Officer or its designated representative shall ensure that a retrievable, exact copy of electronic protected health information is created before movement of devices with ePHI.
Prior to moving any device with ePHI the Security Officer must:
All media used for backing up ePHI shall be stored in a physically secure environment, such as a secure, off-site storage facility or, if backup media remains on site, in a physically secure location, different from the location of the computer systems it backed up [i.e., in a location that protects the backups from loss or environmental damage].
If an off-site storage facility or backup service is used, a Business Associate Agreement must be used to ensure that the Business Associate will safeguard the ePHI in an appropriate manner. Stored data must be accessible and retrievable at all times.
When reusable media such as tapes are used as the back up media refer to the โDevice, Media, and Paper Record Sanitization for Disposal or Reuseโ policy.
Documentation of backup testing, or restore logs, will be maintained and capture the date and time the data was restored. Operational procedures for backup, recovery, and testing should be documented and periodically reviewed.
Security Officer shall make all reasonable and prudent efforts to control media entering and leaving the organization. Workforce members shall be trained to recognize that media containing ePHI is handled in a manner to protect the confidentiality of the data contained on it. Media that contains PHI that is no longer useful or useable should be sanitized consistent with the โDevice, Media, Disposal or Reuseโ policy.