6. Data Management Policy

CIRG has procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI) utilizing our Backup Service. The policy and procedures will assure that complete, accurate, retrievable, and tested backups are available for all systems used by CIRG.

Data backup is an important part of the day-to-day operations of CIRG. To protect the confidentiality, integrity, and availability of ePHI, both for CIRG and CIRG Clients, complete backups are done daily to assure that data remains available when it needed and in case of a disaster.

Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment.

6.1 Applicable Standards

6.1.1 Applicable Standards from the HITRUST Common Security Framework

• 01.v - Information Access Restriction

6.1.2 Applicable Standards from the HIPAA Security Rule

• 164.308(a)(7)(ii)(A) - Data Backup Plan
• 164.310(d)(2)(iii) - Accountability
• 164.310(d)(2)(iv) - Data Backup and Storage

6.2 Backup Policy and Procedures

1. Perform daily snapshot backups of all systems that process, store, or transmit ePHI for CIRG Clients.
2. CIRG Ops Team, lead by Lead Systems Administrator, is designated to be in charge of backups.
3. Dev Ops Team members are trained and assigned to complete backups and manage the backup media.
4. Document backups
   • Name of the system
   • Date & time of backup
   • Where backup stored (or to whom it was provided)
5. Securely encrypt stored backups in a manner that protects them from loss or environmental damage.
6. Test backups and document that files have been completely and accurately restored from the backup media.
7. Systems are automatically backed up to both local and remote stores (encrypted) nightly. System configurations are stored in a server management system, facilitating rapid redeployment. Deployment processes are largely automated, and flexible with regard to hosting infrastructure (UW enterprise-level data centers, or Amazon Web Services).
8. PHI are not stored on CIRG workstations or other non-server devices.
9. Application records are to be retained and securely stored after completion or discontinuation of the project for the duration specified by the project contract as may be required by institutional policies, applicable laws, rules or regulations.