Device and Media Controls — Data Backup and Storage Procedures

§164.310(d)(2)(iv): Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Audit Inquiry

Does the entity have policies and procedures in place to create a retrievable, exact copy of ePHI when needed, before movement of equipment?

Does the entity create retrievable, exact copy of ePHI when needed, before movement of equipment?

Obtain and review policies and procedures related to data backup and storage procedures. Evaluate the content relative to the specified performance criteria to determine whether policies and procedures cover creating a retrievable exact copy of electronic protected health information, when needed, before movement of equipment.

Elements to review may include but are not limited to:
• Identify when ePHI data backups will be conducted
• The type of data that will be backed up
• How data will be backed up, including the use of encryption and encryption key management, if applicable
• Backup data mechanism/solution
• How backup data is secured
• Identification of how and where backup ePHI data is physically stored and secured
• Workforce members’ roles and responsibilities in the data backup and storage process
• How frequently data backups are reviewed or assessed for verification of media reliability and data integrity

Obtain and review documentation demonstrating how ePHI data is backed up for equipment being moved to another location. Evaluate and determine if ePHI data backup process is appropriate and is in accordance with the entity’s data backup plan and/or procedures.

Obtain and review documentation demonstrating how ePHI data backups for moved equipment are stored. Evaluate and determine if the backup data is stored in a location with minimum vulnerabilities and appropriate safeguards and that the confidentiality, integrity, and availability of the ePHI data is protected from security threats.

Obtain and review documentation demonstrating the restoration of ePHI data backups for moved equipment. Evaluate and determine if the procedure is in accordance with backup plans and/or procedures; if failures of data backups and restorations are properly documented; and if necessary, what corrective actions have been taken.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable