Disclaimer, Terms of Use, and Copyrights

 Disclaimer, Terms of Use, and CopyrightsThe following document is developed by Person Centered Tech Incorporated and is offered for educational purposes. It is not offered with any intent or implied warranty of fitness for a particular purpose nor is there any warranty, guarantee, or general claim that this will in any way provide any particular level of legal protection. This document is not a substitute for legal advice or consultation, nor is it a substitute for clinical or ethical consultation or advice. State laws and licensing board rules vary, as do the needs of individual clients. You must modify this document – or rule out its use – as necessary according to your local laws and rules as well as the needs of your clients and your practice. Unless otherwise prohibited by law, Person Centered Tech Incorporated will not be liable to you or to any other third party for: (a) any direct, indirect, incidental, special, punitive, or consequential losses or damages, including, but not limited to, loss of profits, loss of earnings, loss of business opportunities, or personal injuries resulting directly or indirectly from use of this document; or (b) any losses, claims, damages, expenses, liabilities, or costs (including legal fees) resulting directly or indirectly from use of this document. The conditions in this paragraph apply to any acts, omissions, and negligence of Person Centered Tech Incorporated that would give rise to a course of legal action. You agree to indemnify and hold harmless Person Centered Tech Incorporated against all claims and expenses (including attorney fees) arising from the use of this document. This document is provided “as is.” Person Centered Tech Incorporated grants you right to use this document in your own health care practice. Your right to use this document is non-exclusive and may not be transferred to others. You may copy or modify this document according to your individual business needs, but you may not distribute copies of this document nor may you distribute documents derived from this one. You are also prohibited from using this document for educational purposes without prior written consent. Your use of this document is also covered by Person Centered Tech’s Terms of Service. This document is ? 2018 Person Centered Tech Incorporated.<Practice Name>: Data Backup PolicyP&P Version: __________________Approved By: __________________Effective Date: _________________PurposeElectronic media, especially hard drives, fail somewhat frequently. In addition, computer equipment is valuable and more prone to theft than file cabinets full of paper. In short, it’s much easier to lose electronic information, or for it to become corrupted, than it is for information in paper documents. On the other hand, it is very easy and very inexpensive to make exact copies of electronic information. As such, it is a best practice to maintain up-to-date backups of important electronic information. Good backups can be a lifesaver for individuals and for practices. They can help ensure that potentially bad events turn out alright and they can prevent immense costs from being incurred. Backup policies are also a requirement of HIPAA’s Security erning PolicyIt is the policy of <the practice> to ensure the integrity and availability of all electronic protected health information, and other electronic information critical to the practice’s mission, that it creates, receives, maintains, or transmits. This is accomplished, in part, by maintaining exact copies of that information that can be retrieved and used at the times when the practice needs them, and by ensuring that those exact copies are properly secured from identified risks.To protect the integrity and availability of <the practice>‘s information, the HIPAA Officer must determine all the devices, services, and media which create or maintain information in need of backup and then create plans for creating and securing backups of that data. All helpers, especially those who are responsible for devices, services, and media, should understand the importance of data backups and must implement the HIPAA Officer’s plans in good faith and in compliance with this policy. Violation of this policy and its procedures by helpers of the practice may result in disciplinary and/or corrective action according to the sanction procedures of the Workforce Management Policy. Violation of this policy by non-workforce such as providers and staff at other entities, volunteer helpers, or any others affiliated with the practice may result in termination of any partnership or collaborative relationship. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.Data Backup PolicyDefinitionsBackup Management Software: Software which runs on a device and that performs backups automatically on a set schedule. Popular examples include Apple Time Machine and Windows Backup. Backup Media: Electronic media, often devices, used to store backup data. Popular options include external hard drives and thumb drives. There are also media options that are designed specifically for data backups, such as the Apple Time Capsule. Cloud Backup: Third-party managed backup services that store backup information on Internet servers. Cloud backup services typically create software for installation on the devices which need to be backed up. This software then sends data from the device to the backup service’s servers when the time to create backups comes.Data Backup: An exact, retrievable copy of electronic data. Electronic Protected Health Information: Protected Health Information in an electronic form. Off-Site Backup: A data backup which is stored in a different physical site from its original data source. Off-site backups help prevent data backups from being subjected to the same threats and hazards that original data sources are subjected to. Cloud backup services are, generally speaking, always off-site. Original Data Source: The device, group of devices, or service that is used to create, receive, maintain, or transmit the data which must be backed up. One Example: If a certain computer is backed up using an external hard drive, then that computer is the original data source to that external hard drive’s backups. Another Example: If a smartphone is backed up to a computer which is then, in turn, backed up to a cloud backup service, then the computer and the smartphone are original data sources to the cloud backup service. Backup Media Storage PolicyBackup media, if kept by the practice, must be stored in a manner that protects it from harm and ensures that it is not subject to the same reasonably anticipated risks as the device which it is intended to back up. Thus, backup media must be stored off-site or in a container or facility that is reasonably likely to protect it from the relevant threat events identified during <the practice>’s risk analysis.One Example: If a computer is backed up using an external hard drive, then that hard drive needs to be stored somewhere separate from the computer. We need to be sure that any harm which befalls the computer doesn’t also impact the external hard drive. E.g. if the computer is stolen during a break-in, we need the backup hard drive to be somewhere else so it doesn’t get stolen. E.g. (again) if the computer is damaged during a fire, we want the backup drive to be at a different site (or in a fireproof safe!) so it doesn’t get destroyed. Backups are no good if they aren’t there when you need them. Backup Media Disposal PolicyWhen electronic media used for data backup (e.g. external hard drives) are to be retired from use by the practice or are to be repurposed for a different use, they must first be sanitized according to the Device & Electronic Media Disposal Policy. Backup Media Transport PolicyWhen electronic media used for data backup (e.g. external hard drives) are to be transported from one site to another, they must be protected according to the Device and Document Transport and Storage Policy. This is required regardless of how frequently the media device is transported.External Service Critical Information Backup PolicyInformation stored on cloud services and other managed services outside the immediate control of the practice’s workforce must be evaluated for criticality to the practice’s day-to-day operations as part of the risk analysis process. The HIPAA Officer should consider creating a plan for keeping copies of any externally-maintained information deemed critical to day-to-day operations. The decision to make such a plan, or to instead accept the risks of losing access to critical information should the external service become unavailable, must be based upon the assessed level of criticality of identified information as compared to the cost of keeping copies, the size and capabilities of the practice, and the technical resources of the practice.One Example: Many practices use a cloud service, such as a practice management system, to keep their master calendar of client appointments and client contact information. This information is of high criticality to the practice’s day-to-day operations (imagine losing the calendar of appointments and also losing the contact information you need to in order to inform clients that you don’t know when their appointments are!) If a cloud service is also used to keep client records, one could say that portions of the records for currently active clients are also of high criticality to day-to-day operations. Depending on the practice, it is likely reasonable to implement a plan for maintaining the practice’s own copies of the calendar and contact information. Maintaining copies of the client records might be less reasonable, however, given the amount of information involved and the records’ lower criticality for day-to-day operations (as compared to calendars and contact info). ProceduresData Backup and Confirmation PlanSchedule: The HIPAA Officer will create a plan that ensures that all electronic PHI that the practice creates, receives, maintains or transmits is backed up on a schedule frequent enough to ensure that PHI will not be permanently lost if the original data sources are lost or destroyed. The necessary backup schedule for each original data source will be determined based on results from the practice’s risk analysis, among other relevant sources of information.For information that is “self-maintained” by a 3rd party, such as a cloud service, the HIPAA Officer may decide that the 3rd party’s own internal backup procedures suffice for <the practice>’s needs regarding the information that the 3rd party maintains. This is acceptable so long as the HIPAA Officer also assesses the need for an External Service Critical Information Backup Plan (see below).Method: The HIPAA Officer will create a plan that ensures that all electronic PHI that the practice creates, receives, maintains or transmits is backed up using appropriate and reasonable methods. The HIPAA Officer may choose any reasonable method that ensures the timely creation of an exact retrievable copy all of all electronic PHI, that ensures backups are stored securely, and that complies with the Policies & Procedures of the practice. Methods will be chosen based on the nature of the original data source, the capabilities and resources of the practice, and the results of the practice’s risk analysis, among other relevant sources of information. If a chosen backup method involves allowing a third-party service to maintain the backups, such as for cloud backup or off-site backup maintained by an outside service, a Business Associate Agreement will be executed with that service.Methods of storing data backups will be set up to ensure that the backups are always available to authorized individuals.Confirmation: The HIPAA Officer will choose a schedule and method for confirming that backups are being completed successfully and a method for logging the results of backup confirmation checks. The confirmation schedule will be more frequent than every 10 backups for each original data source. E.g. if the backup schedule for a given data source is “every business day,” then backup confirmation for that data source must occur at least every 10 business days.When using automated backup methods, confirmation checks will include confirming that the automated system is creating backups on schedule. Documentation: The backup schedule, method, confirmation method, and responsible individual for each original data source will be documented. A log of backup confirmation checks, and of actual backups if they are performed manually, will also be kept. Some methods of backup, e.g. backup management software or cloud backup services, maintain their own logs of backups. In these cases, the backup schedule documentation will indicate how often the software or service is set to create backups.Data Backup Failure Response PlanIf, when performing a backup or confirming backups, the responsible individual discovers that backups are failing in any way, that individual will report the failure to the HIPAA Officer immediately. The HIPAA Officer will then create and execute a plan for assessing and remediating the failure in a timely fashion appropriate to the risks involved in leaving the original data source(s) without backups.External Service Critical Information Backup PlanFollowing each risk analysis process, the HIPAA Officer will identify any externally maintained information for which copies must be maintained. The HIPAA Officer’s decision will be based on the External Service Critical Information Backup Policy written above. If any such information is identified, the HIPAA Officer will create a plan for maintaining the practice’s own exact, retrievable electronic copies of the identified information as part of the Data Backup and Confirmation Plan procedure and the Data Backup Failure Response Plan procedure. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download