In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Data Backup and Storage is the fourth and last of four implementation specifications, and it is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What to Do
A covered entity should create a retrievable, exact copy of electronic protected health information, when needed, before moving electronic hardware or media upon which the electronic protected health information is stored.
How to Do It
The Security Official of the covered entity should ensure that an exact copy of electronic protected health information is created and validated prior to moving of electronic hardware or media upon which it is stored. The copy of the electronic protected health information should be stored in a secure environment off site of the covered entity’s physical facility. The copy should be readily retrievable if the hardware or electronic media is damaged in moving, or in the event of the covered entity’s need to recover from a contingency or disaster. Again, scale and size of the covered entity plays a role in the manner in which this implementation is carried out, with the particulars an outcome of the covered entity’s risk analysis.