• Home
  • Blog
  • Contact

Call us toll free 0800 0000 900

support@hipaa.com
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Physical Safeguard Standard, Device and Media Controls: Data Backup and Storage Implementation Specification-What to Do and How to Do It

May 22, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard.  Data Backup and Storage is the fourth and last of four implementation specifications, and it is addressable.  Remember, addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

A covered entity should create a retrievable, exact copy of electronic protected health information, when needed, before moving electronic hardware or media upon which the electronic protected health information is stored.

How to Do It

The Security Official of the covered entity should ensure that an exact copy of electronic protected health information is created and validated prior to moving of electronic hardware or media upon which it is stored.  The copy of the electronic protected health information should be stored in a secure environment off site of the covered entity’s physical facility.  The copy should be readily retrievable if the hardware or electronic media is damaged in moving, or in the event of the covered entity’s need to recover from a contingency or disaster.  Again, scale and size of the covered entity plays a role in the manner in which this implementation is carried out, with the particulars an outcome of the covered entity’s risk analysis.

Tags: 20092010addressableAmerican Recovery and Reinvestment ActARRAbusiness associatescontingencycovered entitydata backup and storagedevice and media controlsdisaster recoveryelectronic hardwareelectronic mediaelectronic protected health informationFebruary 17HITECH Actimplementation specificationphysical facilityphysical safeguard standardPresident ObamaSecurity OfficialSecurity Rule
No Comments
Share
0

You also might be interested in

Nationwide Privacy and Security Framework for Electronic Exchange: Key Meaningful Use 2011 Objective Recommendation

Jun 24, 2009

On December 15, 2008, the Office of the National Coordinator[...]

HIPAA Final Rule: Modified Privacy Rule Definition–Marketing

Mar 1, 2013

March 1, 2013.  Today, we continue to examine definitions pertaining[...]

Data Quality and Integrity Key Privacy/Security Principle of Meaningful Use 2011 Objectives

Jul 2, 2009

On December 15, 2008, the Office of the National Coordinator[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message

© 2023 · hipaa.com

Prev Next