University of Colorado Denver
Facility for Advanced Spatial Technology
Subject: HIPAA Security Policies & Procedures Policy #: AS-17.1
Title: Data Backup Plan Page 1 of 5
Effective Date of This Revision: November 28, 2011
HIPAA Security Officer Responsible Department:
Sue Hawkins Facility for Advanced Spatial Technology
Contact:
1200 Larimer Street NV 5032
303-556-4172
HIPAA REGULATORY INFORMATION: Transmission Security Standard
Administrative Safeguard Type: Standard
Category: Physical Safeguard Implementation Specification
Technical Safeguard Required Addressable
Officers Staff/ Faculty Student clinicians Volunteers
Applies to:
Other agents Visitors Contractors
BACKGROUND:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that access to
Protected Health Information (PHI) shall be managed to guard the integrity, confidentiality, and availability
of electronic PHI (ePHI) data. According to the law, all FASTofficers, employees and agents of units
within a FAST Entity must preserve the integrity and the confidentiality of individually identifiable health
information (IIHI) pertaining to each patient or client.
SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
“Establish and implement procedures to create and maintain retrievable exact copies of electronic
protected health information.”
HIPAA Requirement Contingency Plan Standard
HIPAA Reference: 45 CFR 164.308(a)(7)(i)
Reviewed by: Sue Hawkins
Approved by: Sue Hawkins
Effective Date 11/28/2011
Supersedes Policy: N/A
University of Colorado Denver
Facility for Advanced Spatial Technology
Subject: HIPAA Security Policies & Procedures Policy #: AS-17.1
Title: Data Backup Plan Page 2 of 5
PURPOSE:
Each Unit of FAST health care component (HCC), which handles ePHI, will implement policies and
procedures when a unit of FAST HCC deems it necessary to ensure an exact copy of data is recoverable.
Who is affected by this policy is documented in Policies, Procedures, and Documentation policy (OR-1.1)
This specification provides guidance for FAST‘s Security Office in adopting the Contingency Plan
standard [45 CFR 164.308(a)(7)(i)].
POLICY:
Each Unit of FAST HCC responsible for ePHI will take reasonable and appropriate steps to back up and
store ePHI maintained on ePHI Systems and to create exact and retrievable copies of ePHI to include,
but not limited to, all medium and high-risk files, records, images, voice or video files that may contain
ePHI.
Each Unit of FAST HCC responsible for ePHI will create and implement a documented and detailed plan
for creating and maintaining backup data from all electronic media associated with ePHI that:
Defines who is responsible for taking reasonable steps to ensure the backup of ePHI
Defines a backup schedule
Specifies the ePHI Systems that are to be backed up
Defines where backup media is to be stored and those FAST„s workforce members who may
access the stored backup media.
Defines where backup media is to be securely kept before it is moved to storage
Defines who may remove the backup media and transfer it to storage
Defines restoration procedures to restore ePHI from backup media to the appropriate ePHI
Systems.
Each Unit of FAST HCC responsible for ePHI will implement a backup procedure to:
HIPAA Requirement Contingency Plan Standard
HIPAA Reference: 45 CFR 164.308(a)(7)(i)
Reviewed by: Sue Hawkins
Approved by: Sue Hawkins
Effective Date 11/28/2011
Supersedes Policy: N/A
University of Colorado Denver
Facility for Advanced Spatial Technology
Subject: HIPAA Security Policies & Procedures Policy #: AS-17.1
Title: Data Backup Plan Page 3 of 5
Generate up-to-date copies of ePHI that can be recovered in the event that ePHI Systems
are damaged by or during a disaster or other emergency in accordance with the Disaster
Recovery Plan implementation policy (AS-11.1).
Complete periodic testing of its restoration procedures for ePHI Systems to confirm the
effectiveness of those procedures and that the ePHI can be restored in the time set forth in
the covered component‟s Disaster Recovery Plan implementation specification (AS-11.1).
Document the retention period for backup media that contain backup copies of ePHI.
Store backup copies of ePHI, complete records of the backup copies, and document
restoration procedures in a remote and secure location, within sufficient distance from the
site.
Provide access to authorized workforce members for timely retrieval of the backup
information stored at the remote location as defined in the Contingency Operation
implementation specification policy (AS-10.1).
Provide physical, environmental, and technical security for the backup media stored at the
remote location that will be consistent with the security provided to ePHI onsite in accordance
with the Facility Access Controls standard (PS-3.1).
HIPAA Requirement Contingency Plan Standard
HIPAA Reference: 45 CFR 164.308(a)(7)(i)
Reviewed by: Sue Hawkins
Approved by: Sue Hawkins
Effective Date 11/28/2011
Supersedes Policy: N/A
University of Colorado Denver
Facility for Advanced Spatial Technology
Subject: HIPAA Security Policies & Procedures Policy #: AS-17.1
Title: Data Backup Plan Page 4 of 5
DEFINITIONS:
HIPAA: Health Insurance Portability and Accountability Act of 1996
Electronic Protected Health Information (ePHI): Electronic health information or health care payment
information, including demographic information collected from an individual, which identifies the individual
or can be used to identify the individual. ePHI does not include students records held by educational
institutions or employment records held by employers.
Individually Identifiable Health Information (IIHI): Information that is a subset of health information,
including demographic information collected from an individual, and:
Is created or received by a health care provider, health plan, employer, or health care
clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present, or future payment for the provision
of health care to an individual; and
That identifies the individual; or
With respect to which there is a reasonable basis to believe the information can be used to
identify the individual.
FAST Health Care Component (HCC): Those units of FAST that have been designated by FAST as part
of its health care component under HIPAA.
FAST Security Compliance Officer: the individual appointed by FAST to be the HIPAA Security Officer
under s. 164.306(2) of the HIPAA Security Rule.
Addressable: When a standard adopted under 45 CFR Part 164.312 includes addressable
implementation specifications, a unit within FAST HCC must (i) assess whether each implementation
specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference
to the likely contribution to protecting the unit‟s electronic ePHI and (ii) as applicable to the unit: (A)
implement the implementation specification if reasonable and appropriate; or (B) if implementing the
implementation specification is not reasonable and appropriate: (1) document why it would not be
reasonable and appropriate to implement the implementation specification; and (2) implement an
equivalent alternative measure if reasonable and appropriate.
HIPAA Requirement Contingency Plan Standard
HIPAA Reference: 45 CFR 164.308(a)(7)(i)
Reviewed by: Sue Hawkins
Approved by: Sue Hawkins
Effective Date 11/28/2011
Supersedes Policy: N/A
University of Colorado Denver
Facility for Advanced Spatial Technology
Subject: HIPAA Security Policies & Procedures Policy #: AS-17.1
Title: Data Backup Plan Page 5 of 5
Related Policies:
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
Information Access Management Standard (AS-3.1)
Encryption and Decryption (TS-1.1)
Unique User Identification (TS-2.1)
Emergency Access Procedure (TS-3.1)
Automatic Logoff (TS-4.1)
Reference:
Access to Electronic Health Information Flow Sheet
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
HIPAA Final Security Rule, 45 CFR Parts 160, 162, and 164, Department of Health and Human Services,
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp, February 20, 2003.
CMS, “CMS Information Systems Security Policy, Standards and Guidelines Handbook”, CMS, February
2002.
International Standards Organization (ISO/IEC 17799:2000(E))
HIPAA Requirement Contingency Plan Standard
HIPAA Reference: 45 CFR 164.308(a)(7)(i)
Reviewed by: Sue Hawkins
Approved by: Sue Hawkins
Effective Date 11/28/2011
Supersedes Policy: N/A