Under the HIPAA Privacy Rule and the proposed Security Rule, there is not verbiage that I'm aware of that prevents covered entities from backing up their own data and taking it home. There are, however, documented requirements for contingency plans and media controls. For this scenario, this basically means that there needs to be formal, documented policies and procedures outlining how the data is being backed up as well as the physical access controls and media controls for the backup media going into and out of the facility. This is subject to change in the final Security Rule, but for now, it's simply a solid combination of common sense, well-established best practices and good documentation about what's being done. Just keep in mind, with or without HIPAA, to ensure that the backup media are adequately protected and kept out of the hands of strangers, not stored in a hot or cold automobile and that they are readily accessible (by other personnel) when a disaster occurs.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Data Protection/Backup
Best Web Links: Health Care/Health Services
This was first published in October 2002