In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
What to Do
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
How to Do It
Covered entities must backup electronic protected health information on a regular basis. When a computer system fails, it may be relatively easy to reinstall computer programs and recover software applications. However, it may be relatively difficult to recover or recreate electronic data that are lost from files that are damaged or from files whose filenames are detached from underlying data.
A covered entity should consult with its computer and software vendors on implementing appropriate data backup routines. Prudence dictates having backup located offsite from the covered entity, even if the covered entity’s software accommodates exact-copy backup capability or it has an onsite data safe that is fire resistant and designed to protect electronic media from damage due to magnetism, heat, water, and air-borne contaminants such as smoke and dust.
A covered entity’s choice of a backup system will depend on the size of the covered entity and the number of its business locations. Each facility is required to have its own backup plan implementation, which may be part of an overall covered entity strategy. A large covered entity may use a complex procedure, such as real-time encrypted data streaming or periodic batch duplicate download to a secure offsite location. A small covered entity might do a daily tape, CD, or DVD backup and maintain the electronic media offsite in a secure location. Outputs of the risk analysis will provide guidance on the type of data backup plan, which should be reviewed periodically. The covered entity should take into consideration that electronic data storage capacities grow, the relative costs of such storage decline, and the penalties for failure under the Security Rule were increased as part of the HITECH provisions in the American Recovery and Reinvestment Act (ARRA) signed by President Obama on February 17, 2009.