MHC HIPAA Policy Format

DRAFT

Version #8: 4/19/05

Based on Final Privacy & Security Rules

HIPAA COW

ADMINISTRATIVE WORKGROUP POLICY/PROCEDURE

DATA MANAGEMENTAND BACKUP POLICY

Disclaimer

This document is Copyright  2005 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This document is provided “as is” without any express or implied warranty. This documentis for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this document. Therefore, this may need to be modified in order to comply with Wisconsin law.

****

Table of Contents:

Policy:

Responsible for Implementation:

Applicable To:

Key Definitions:

Procedures:

1)Data Backup

2)Moving Media

3)Documentation

Authors:

Attachments to Policy:

Reviewed By:

Applicable Standards/Regulations:

APPENDIX 1: DATA RESTORE LOG

APPENDIX 2: MOVING MEDIA LOG

Policy:

<Organization> establishes and implements procedures to create and maintain retrievable exact copies of electronic protected health information. 164.308(a)(7)(ii)(A). The policy and procedures will assure that complete, accurate, retrievable, and tested back-ups are available for all information systems used by <Organization>.

< Organization > creates a retrievable exact copy of electronic protected health information (ePHI) before movement of equipment. <Organization> maintains a record of movements of hardware and electronic media containing ePHI and any person responsible therefore. <Organization> utilizes these procedures to track the movement of hardware and electronic media containing ePHI in accordance with the standards set forth in the HIPAA Security Rule, 164.310(d)(2)(iii-iv).

Data back up and the correct storage of backup media are an import part of the day to day operations of <ORGANIZATION>’s information security. To protect the confidentiality, integrity, and availability of ePHI, the organization completes backups to assure that data remains available when it is needed. Established guidelines and defined standards for accountability of hardware and electronic media containing ePHI further provide the confidentiality and security of ePHI.

Responsible for Implementation:

It is the responsibility of the Security Officer [or Information Systems (IS) Department, or Information Security Officer, or other assigned] to implement this policy.

Applicable To:

The IS Department and/or any other department [or individual] that purchases, moves, maintains, and/or creates equipment or media capable of storing or transmitting ePHI. Note: Backups are generally performed by the information systems department in a larger organization. Small organizations should delegate an individual to perform this task.

Failure to back up a system in the absence of a system failure is a violation of this policy and may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including providers, providers' offices, business associates and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.

Key Definitions:

Backup: The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just that data which changed from the previous backup.

Electronic Media: Any tape, magnetic disk, optical disk, or other electronic device able to store ePHI.

Electronic Protected Health Information (ePHI): Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.

Hardware: Any computing device able to create and store ePHI. This includes diagnostic instruments that can store ePHI but may not be physically connected to <organization>’s network.

Off-Site: For the purpose of storage of back up media, off-site is defined as any location separate from the building in which the back up was created. It must be physically separate from the creating site. The environment for off-site storage must meet storage standards established by the manufacturer of the back up media.

Procedures:

1)Data Backup:

a)Perform at a minimum a[daily]backup of all systems that create, store, or transmit ePHI [as specified by the software vendor]. The vendor may specify a full back up, an incremental back up, or may not specify. Note: each organization needs to determine which is appropriate. A different back up strategy may be appropriate for each system within the organization. In the event the system does not allow an electronic backup, the organization develops a different method to create a copy of the ePHI, or complete an analysis delineating alternate solutions for compliance (such as a printed copy).

i)Designate IS department workforce members (or others as deemed appropriate) to complete the backups.

ii)Train individual(s) assigned to complete backups and manage the backup media.

b)Document backups completed.

i)Site/location name

ii)Name of the system

iii)Type of data

iv)Date & time of backup

v)Where backup stored (or to whom it was provided)

vi)Signature of individual that completed the back up

c)Store backups in a manner which protects them from loss or environmental damage. Note: at a minimum store back up media in a fireproof locked safe. This can be either on site or for smaller organizations at an area financial institution or the home of an employee.

d)Periodically store backups off-site (as deemed appropriate).

e)When reusable media such as tapes are used as the back up media refer to the Destruction, Disposal, & Re-Use of PHI Media policy. For exampleset up a rotational schedule such asrotate tapes weekly. Also an example, tape over the tape created on a Monday on the following Monday. This provides a full week of back up tapes in the event of a need to recover from the tape.

f)Test backups and document that files have been completely and accurately restored from the back up media. See Appendix 1 for a sample restore log. Note: specific details on how to restore files will be specified by software manufacturers and are followed in accordance to these specifications.

2)Moving Media:

a)Any workforce member that acquires any new hardware or media that stores or processes ePHI records the following on the Moving Media Log (refer to Appendix 2):

i)model name

ii)serial number

iii)date received

iv)department or individual to whom assigned

v)location of department/unit where housed

b)Prior to moving hardware or media that stores or processes ePHI to a new location, backup a retrievable copy of the ePHI.

i)The head of the receiving department/unit (or other individual as deemed appropriate) records receipt on the Moving Media log (refer to Appendix 2).

ii)The individual(s) that creates the backup also manages the backup media as described above in Data Backup.

c)Forward all completed logs to the Security Officer to maintain.

d)When hardware is taken out of service, dispose of in accordance with the policy on destruction of media: Destruction, Disposal & Reuse of PHI Media (164.310d2i-ii)

e)It is not possible or economically practical to control all media that enter and leave an organization. The organization makes all reasonable and prudent efforts to control media entering and leaving the organization. <Organization> trains its workforce to recognize that media containing ePHI is handled in a manner to protect the confidentiality of the data contained on it. Destroyany media that has at any time contained ePHI at the end of its useful life following the policy on destruction of media: Destruction, Disposal & Reuse of PHI Media (164.310d2i-ii)

3)Documentation:

a)Maintain all documentation required by this policy for a period of six years from the date of creation or the date when it was last in effect, whichever is later [164.105(c)(1-2)].