164.310(d)(2)(iv) Standard: Device and media controls – Data backup and storage
(2) Implementation specifications:
(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
Tell Me More:
The Data Backup and Storage implementation specification requires the covered entity and business associate to create an exact retrievable copy of electronic protected health information, when needed, before movement of equipment.
Several sections of the Final Rule address the need for backing up data, e.g., in the Contingency Plan standard. When equipment is moved, one should consider a process to be prepared for problems and, prior to such movement, should ensure a current backup is made of the information on that equipment.Data may also be lost or corrupted in movement – hence a good data backup plan is important.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- What data (systems, files, directories, folders) should be backed up when equipment is moved?
- Are backups done before movement?
- Who is responsible/authorized to retrieve the media?
- NIST SP 800-12 chapter 14 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations