§164.308(a)(7)(ii)(A): Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
Audit Inquiry
Does the entity have policies and procedures in place to create and maintain retrievable exact copies of ePHI?
Does the entity create and maintain retrievable exact copies of ePHI?
Obtain and review policies and procedures related to data back-up plans. Evaluate and determine whether data back-up procedures exist that establish strategies for creating and maintaining retrievable exact copies of ePHI should the entity experience an emergency or other occurrence.
Elements to review may include but are not limited to:
• How frequently data backups will be conducted
• The type of data that will be backed up
• How data will be backed up, including the use of encryption and encryption key management, if applicable
• The backup data mechanism/solution
• How backup data will be secured
• Physical location of backup media
• Workforce members’ roles and responsibilities in the data backup process
• How frequently data backups will be reviewed or assessed for verification of media reliability and data integrity
Obtain and review documentation demonstrating how data is backed up. Evaluate and determine whether the data backup process creates exact copies of ePHI.
Obtain and review documentation demonstrating data backup and restoration tests. Evaluate and determine if test procedures are in accordance with data backup plans and/or procedures; that test results are properly documented; that test results are reviewed and certified by appropriate management; and, if necessary, that corrective actions have been taken.
Required/Addressable
Required