HIPPA Regulation Reference § 142.308 (ii):
Data backup plan (a documented and routinely updated plan to create and maintain, for a specific period of
time, retrievable exact copies of information).
Section II: Requirement
The covered entity must develop a contingency plan that can be used to facilitate continuity of operations in the event of an emergency
and recovering from a disaster. The plan must include a data backup plan that is documented and routinely updated. The plan must ensure
that retrievable exact copies of data are available for a specified period of time.
Section III: Definitions
Data Backup - a retrievable, exact copy of information.
Data Backup Plan - a documented and routinely updated plan to create and maintain, for a specific
period of time, retrievable exact copies of information.
Section IV: Approaches/Solutions
- Determine what is considered an acceptable amount of time for recovery in the event that your system is destroyed.
Determine what is considered and acceptable amount of lost data that must be re-entered.
- Develop a contingency plan to facilitate operation in the event of a disaster or system failure.
- Identify the parts of your system that are static. These unchanging objects can be saved on an infrequent basis.
- Identify objects that dynamically change every day and can be the focus of daily backups.
- Develop a system to perform data backup of all pertinent information. Ensure that the plan works and is followed.
Ensure that you are getting complete backups. Some files are simply irreplaceable. Regular backups ensure you do not lose such files.
- Develop a backup strategy with depth to retain older backups at specified intervals. This will help restore information prior to a
virus infection.
- Store data in a secure location, preferably off-site so that it can be retrieved when needed. A secure off-site location is best.
At the very least, you should securely store backups as far from the computer as possible.
- Test the data backups to ensure that the information is retrievable.
Section V: Policy & Procedure
Data backup is an essential part of the organization's contingency plan. Regular backups ensure that organizations do not lose irreplaceable
files. A major purpose of backing up data is to avoid the expense, time, and effort it would take to recover a system whose files were destroyed
by mechanical failure, hardware loss, a virus attack or user error. Legal or accreditation retention requirements should be considered when
developing a backup plan.
Information that is updated on a daily basis should be backed up daily. Static data can be backed up on a more infrequent basis
(weekly or monthly). Each organization will determine how much data they can afford to lose and how much data can be recreated.
Ideally, data should be stored in a secure off-site location where it can be easily retrieved when needed. At the very least, you should
securely store backups as far from the computer as possible. Develop a backup strategy with depth to retain older backups at specified
intervals. This will help restore information prior to a virus infection. Data backups should be tested to ensure that the information is retrievable.
Section VI: Technology
Removable Media
Traditional backup has involved copying data to removable media such as disks, tapes, or CD-R's. Choose a type of removable media
that is large enough to hold an entire backup. This will probably mean tape, since modern tapes can hold 60GB or more. Tape autoloaders
automate the process of backing up to multiple tapes.
Drive Image Backup
You can backup a precise image of an entire drives contents by using software products designed for that purpose.
Internet Backup
Sites that back up your data over the internet are available. Typically users are charged a fixed subscription fee per month for
a specific amount of storage. Broadband connection is a must if you decide to use this option.
Return To Top
