Under the current guidelines, will it be permissible for health providers to continue to backup their own data...
and take it home?
Under the HIPAA Privacy Rule and the proposed Security Rule, there is not verbiage that I'm aware of that prevents covered entities from backing up their own data and taking it home. There are, however, documented requirements for contingency plans and media controls. For this scenario, this basically means that there needs to be formal, documented policies and procedures outlining how the data is being backed up as well as the physical access controls and media controls for the backup media going into and out of the facility. This is subject to change in the final Security Rule, but for now, it's simply a solid combination of common sense, well-established best practices and good documentation about what's being done. Just keep in mind, with or without HIPAA, to ensure that the backup media are adequately protected and kept out of the hands of strangers, not stored in a hot or cold automobile and that they are readily accessible (by other personnel) when a disaster occurs.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.