×
  •  
  •  

Data Management

6.0 Data Management Policy

iDialogs has procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI) stored in conjunction with iDialogs Add-ons. This policy, and associated procedures for testing and restoring from backup data. The policy and procedures will assure that complete, accurate, retrievable, and tested backups are available for all systems used by iDialogs.

Data backup is an important part of the day-to-day operations of iDialogs. To protect the confidentiality, integrity, and availability of ePHI, both for iDialogs and iDialogs Customers, complete backups are done daily to assure that data remains available when it needed and in case of a disaster.

Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment.

6.1 APPLICABLE STANDARDS

6.1.1 APPLICABLE STANDARDS FROM THE HITRUST COMMON SECURITY FRAMEWORK

  • 01.v - Information Access Restriction

6.1.2 APPLICABLE STANDARDS FROM THE HIPAA SECURITY RULE

  • CFR § 164.308(a)(7)(ii)(A) - Data Backup Plan
  • CFR § 164.310(d)(2)(iii) - Accountability
  • CFR § 164.310(d)(2)(iv) - Data Backup and Storage

6.2 Data Backup Plan

  1. The Security Officer establishes and implements procedures to create and maintain retrievable exact backup copies of electronic protected health information as required by 45 CFR § 164.308(a)(7)(ii)(A) (HIPAA Security Rule – Contingency Plan – Data Backup Plan). The procedures will assure that complete, accurate, retrievable, and tested back-ups are available for all ePHI on all information systems used by the unit, with the following exceptions.
    1. Additional copies of ePHI created for convenience do not need to be backed up, provided that the original copy is properly backed up and available as required by the HIPAA Security Rule.
    2. Data sets containing ePHI which were generated from other data sets do not need to be backed up, provided that the original data sets containing ePHI are properly backed up and available as required by the HIPAA Security Rule, and it is possible to recreate enough of the generated data set in a timely manner so that ePHI in the generated data set is available as required by the HIPAA Security Rule.
  2. The Security Officer creates a retrievable exact backup copy of electronic protected health information (ePHI) before movement of equipment as required by 45 CFR § 164.310(d)(2)(iv) (HIPAA Security Rule – Device and Media Controls – Data Backup and Storage). The same exceptions listed in section 1.b. apply.
  3. The Security Officer maintains a record of movements of hardware and electronic media containing ePHI and any person responsible therefore, as required iDialogs within the iDialogs Organization that is a business associate of a covered entity by 45 CFR § 164.310(d)(2)(iii) (HIPAA Security Rule – Device and Media Controls – Accountability).
  4. The Security Officer creates  or automates the creation and storage of backup copies in accordance with their Safeguard Implementation Plan (or the equivalent) as described in Policy #4 "HIPAA Security Risk Management." Backup copies are created at a sufficient frequency and are retained in safe locations for a sufficient length of time to accomplish all the following:
    1. Data backups that enable the restoration of ePHI that is lost or corrupted.
    2. Data backups that support the iDialogs Disaster Recovery Plan (or the equivalent) as required by 45 CFR § 164.308(a)(7)(ii)(B) (HIPAA Security Rule – Contingency Plan – Disaster Recovery Plan) and as described in Policy # 8.4 "HIPAA Security Contingency Planning."
    3. Data backups that support the iDialogs Emergency Mode Operations Plan (or the equivalent) as required by 45 CFR § 164.308(a)(7)(ii)(C) (HIPAA Security Rule – Contingency Plan – Emergency Mode Operations Plan) and as described in Policy # 8.4 “HIPAA Security Contingency Planning”.
    4. Data backups that support the iDialogs mechanisms to authenticate ePHI, as required by 45 CFR § 164.312(c)(2) (HIPAA Security Rule – Integrity – Mechanism to Authenticate Electronic Protected Health Information) and as described in Policy # 8.3 "HIPAA Security Auditing."
  5. Data backups will be tested according to the requirements of 45 CFR § 164.308(a)(7)(ii)(D) (HIPAA Security Rule – Contingency Plan – Testing and Revision Procedures) as described in Policy # 8.4 "HIPAA Security Contingency Planning."
  6. Responsibility for compliance with this policy in specific circumstances will be assigned in the iDialogs Safeguard Implementation Plan (or the equivalent) as described in Policy # 8.1 "HIPAA Security Risk Management."

6.3 Data Backup And Storage

  1. A backup, recovery and testing strategy should be determined based upon the iDialogs Safeguard Implementation Plan (or the equivalent) as described in Policy # 8.1 "HIPAA Security Risk Management."
  2. The following is typical of backup arrangements, and can be used as a template for variation:
    1. A typical arrangement includes a daily backup of data that has changed on all systems that create, receive, maintain, or transmit ePHI.
    2. Data backup systems may be manual or automated. Automated systems electronically capture back up locations, date/time, etc. If the process is manual, documentation of the backup should include:
      1. Site/location name
      2. Name of the system
      3. Type of data
      4. Date & time of backup
      5. Where backup is stored (or to whom it was provided)
      6. Signature of individual that completed the back up
  3. Stored backups must be sufficiently accessible and retrievable to meet the specifications of the unit’s Continuity of Operations Plan (or the equivalent) as described in Policy # 8.4 "HIPAA Security Contingency Planning."
  4. All media used for backing up ePHI must be stored in a physically secure environment, such as a secure, off-site storage facility or, if backup media remains on site, in a physically secure location, different from the location of the computer systems it backed up (i.e., in a location that protects the backups from loss or environmental damage).
  5. If an off-site storage facility or backup service is used, a Business Associate Agreement (BAA) must be used to ensure that the Business Associate will safeguard the ePHI in an appropriate manner. A BAA might not be needed for off-site storage or backup services at certain iDialogs facilities. This will need to be evaluated on a case-by-case basis by the iDialogs HIPAA Privacy Officer and the iDialogs HIPAA Security Officer.
  6. When reusable media such as tapes are used as the backup media, refer to Policy # 8.7 "Destruction/Disposal of Protected Health Information" and iDialogs "Media and Device Disposal and Reuse."
  7. Data backups should be tested, and data restored, to assure accuracy. Documentation of backup testing, or restore logs, should be maintained and should capture the date and time the data was restored. Operational procedures for backup, recovery, and testing should be documented and periodically reviewed.
  8. Proper management of situations concerning data back-up and data recovery, such as emergencies or other occurrences, should be addressed in the unit’s Continuity of Operations Plan (or the equivalent) as described in Policy # 8.4 "HIPAA Security Contingency Planning."
    1. Destruction
      1. The unit will determine an appropriate schedule for retention of data backups. This schedule should include a timeline for ultimate destruction of reusable storage media.
      2. Refer to Policy # 8.7 "Destruction/Disposal of Protected Health Information" and iDialogs "Media and Device Disposal and Reuse" when records are disposed of, or storage media containing ePHI is re-used or disposed of.
    2. Media Handling: It is not possible or economically practical to control all media that enter and leave an organization.
      1. The unit will make reasonable and prudent efforts to control media entering and leaving the organization.
      2. Media that contains PHI that is no longer useful or usable should be sanitized or disposed of consistent with Policy # 8.7 "Destruction/Disposal of Protected Health Information" and iDialogs "Media and Device Disposal and Reuse."

6.4 Accountability

Failure to adhere to the iDialogs Data Backup policies can result in official sanctions.

  1. Failure to back up a system in the absence of a system failure is a violation of this policy.
  2. Violation of this policy and its procedures by workforce members may result in sanctions as described in Policy # 9.2 "Responding to Employee Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security Rules."
    1. Violation of the policy and procedures by others, including providers, providers' offices, business associates and partners may result in termination of the relationship and/or associated privileges.

6.5 Documentation Requirements

The iDialogs HIPAA Security Officer, the HIPAA Privacy Officer, and other custodians of records or documentation related to the HIPAA Data Management and Backup policy and procedures will assure that those records or documents are retained for six years from the date of creation or date it was last in effect, whichever is later.