Introduction:

Backing up data is important for everybody, whether it be personal data or data belonging to an organization. When it comes to ePHI managed by a healthcare institution, the level of importance could not be higher.

It is also a mandatory component of HIPAA compliance.

In order to meet these requirements, most healthcare organizations choose to outsource critical IT services to a third party i.e. an MSP. Whether or not you outsource data backup services, measures must be taken to ensure that you do not lose sensitive patient data, as the consequences can be devastating.

"The data backup plan is a required stage of compliance and must form part of a contingency plan that meets HIPAA standards. Losing data has huge consequences, even-more-so for healthcare organizations who routinely handle sensitive and private data. If access to critical pharmacy systems, lab systems or EHR systems was severed, a healthcare practice would struggle to continue business operations. This risks damaging reputation and ultimately could risk patient lives." - Marty PuranikWhat Is Your HIPAA Data Backup Plan

This process will help you establish a solid data backup plan that satisfies HIPAA requirements and clearly shows your patients that you have appropriate safeguards in place to protect their data.

From identifying the databases that contain ePHI, determining which solution will be used, testing the restore process, and formally documenting the backup policy, this checklist will help you setup the data backup plan end-to-end, hopefully relieving your security team of stress in the process!

A little info about Process Street

Process Street is superpowered checklists. By using our software to document your processes, you are instantly creating an actionable workflow in which tasks can be assigned to team members, automated, and monitored in real-time to ensure they are being executed as intended, each and every time.

The point is to minimize human error, increase accountability, and provide employees with all of the tools and information necessary to complete their tasks as effectively as possible.

Enter basic details

First, enter some basic details regarding your organization and the Security Official leading the team tasked with securing and backing up ePHI. 

ePHI identification:

Identify the databases containing ePHI

Identify the various databases that contain ePHI. 

List them in the form field now. You can also attach and/or link to a document/resource that contains the list. 

Identify email systems containing ePHI

Identify the email systems that contain ePHI. 

List them in the form field now. You can also attach and/or link to a document/resource that contains the list. 

Determine risk level of each file

Once all of the databases and email systems containing ePHI have been identified, its time to determine the risk level of each file.

The term “risk,” as used in the phrase “security risk analysis,” can be defined as a function of two things:

  • The likelihood of a given threat triggering or exploiting a specific vulnerability 
  • The resulting impact

You can attach and/or link to a document/file containing the risk level of each file. 

As stated by the Compliancy Group, a risk level matrix can be used to assist in determining and ranking risk levels. The matrix may be populated using a “high,” “medium,” and “low” rating system. For example, a threat likelihood value of “high” combined with an impact value of “low” may equal a risk level of “low.” Or a threat likelihood value of “medium” combined with an impact value of “medium” may equal a risk level of “medium.” 

Approval: All ePHI identified

Will be submitted for approval:
  • Identify the databases containing ePHI
    Will be submitted
  • Identify email systems containing ePHI
    Will be submitted
  • Determine risk level of each file
    Will be submitted

Data backup solution:

Determine which solution will be used

From the list below, select which solution(s) will be used to back up the data. 

If you select "Other", describe the solution in the text form field. 

  • 1
    Disk-based backup technology and replication techniques
  • 2
    Tape-based backup and offsite store/retrieval process
  • 3
    Cloud storage and provider solution
  • 4
    Other

Approval: Data backup solution

Will be submitted for approval:
  • Determine which solution will be used
    Will be submitted

Location of backup data:

Identify backup media required to remain offsite

Identify and describe the backup media required to remain offsite. 

Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

A Business Associate Agreement (BAA) must be used if an off-site storage facility or backup service is used to ensure that the Business Associate will safeguard the ePHI in an appropriate manner.

Process Street has built a Business Associate Agreement Checklist to guide you through creating and implementing the agreement. 

Identify backup media required to remain onsite

Identify and describe the backup media required to remain onsite. 

If backup media remains on-site, it must be in a physically secure location, different from the location of the computer systems it backed up, in order to protect the backups from loss or damage.

Ensure safeguards are in place for off-site storage

It is critical to ensure that backup data sent to an off-site storage facility is secured using technical and physical HIPAA compliant safeguards.

Provide a description of the safeguards that are in place to secure off-site storage and minimize the risk of a data breach.

Approval: Safeguards and location of backup data

Will be submitted for approval:
  • Ensure safeguards are in place for off-site storage
    Will be submitted
  • Identify backup media required to remain onsite
    Will be submitted
  • Identify backup media required to remain offsite
    Will be submitted

Testing the restore process:

Test data restoration with approved engineers

Test data restoration with approved software engineers. 

This is an important step to identify any issues and verify that the safeguards in place are functioning as they should. 

Record the date of testing and summarize the results in the form field below. 

Also, determine if any issues were identified. If so, these will need to be evaluated and resolved before moving on in the process. 

Describe the issues found during testing

There were some issues identified during testing. Not to worry, describe them in the form field below so they can be evaluated and resolved by the team. 

If its more convenient, you can attach and/or link to a document containing a detailed breakdown of the issues that were identified. 

Conduct meeting to evaluate and resolve issues

Conduct a meeting to evaluate and resolve the issues that were identified during data restoration testing. 

Record the date of the meeting, as well as key takeaways/action items

Below is the description of the issues that was recorded in the previous task.


Description of issues

{{form.Description_of_issues_found_during_testing}}

Approval: Testing complete

Will be submitted for approval:
  • Conduct meeting to evaluate and resolve issues
    Will be submitted
  • Describe the issues found during testing
    Will be submitted
  • Test data restoration with approved engineers
    Will be submitted

Detailed documentation:

Document the backup policy

Document the backup policy. 

You can attach and/or link to the policy below.

All documentation required by this policy will be maintained for a period of 6 years from the date of creation or the date when it was last in effect, whichever is later. 

Document the backup process and schedule

Document the backup process and schedule. 

You can attach and/or link to the process and schedule below.

Document the restore process

Document the data restore process. 

You can attach and/or link to the data restore process below.

Document the disaster recovery process

Document the disaster recovery process. 

You can attach and/or link to the disaster recovery process below.

Document the contingency plan

Document the contingency plan. 

You can attach and/or link to the contingency plan below.

Approval: Data backup plan documentation

Will be submitted for approval:
  • Document the contingency plan
    Will be submitted
  • Document the disaster recovery process
    Will be submitted
  • Document the restore process
    Will be submitted
  • Document the backup process and schedule
    Will be submitted
  • Document the backup policy
    Will be submitted

Backup plan review:

Determine date for reviewing data backup plan

Determine a date to review the back up plan.

Ideally, the plan would be reviewed once a month, or at least once every quarter.

Sources:

Sign up for a FREE account and
search thousands of checklists in our library.

Sign up for a FREE account and search thousands of checklists in our library.