HIPAA 164.308(a)(7) states that the practice must "establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information."

In addition, according to HIPAA 164.310(d)(1) it is the responsibility of the practice to "implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility and the movement of these items within the facility." 

The above mentioned HIPAA references cover a number of items, but with regard to the backup of ePHI data, they state that it is the responsibility of the practice to ensure the backup and security of the data. SOAPware is not responsible for ePHI data or for ensuring that it is backed up and that the back up is valid.  It is the responsibility of the practice to devise and implement workflows that back up the data and ensure transport of the backup to a secure offsite storage location. 

SOAPware has created some best practice recommendations for complying with HIPA requirements for ePHI backups. Our best practice recommendations are merely suggestions, not requirements, nor is there any guarantee, implied or otherwise, that these suggestions will be the best for all practices. SOAPware's recommendations are posted for your consideration and potential adaptation.  The decision to use them, or not, is up to your practice. 

Based on our experience, the best solution is to contract with a reputable vendor to provide offsite, real time backup services. A SOAPware certified product for this service is available from Computer Consulting Service (www.nwaccs.com). Please note that there are, of course, other products and vendors available to provide backup services. Please ensure that you tell your vendor that you are using a PostgreSQL database.

If you opt to use SOAPware's Data Manager backup utility or the batch backup solution, SOAPware Support will assist you with installation, configuration, and training. After these services have been delivered by a Support technician, it is the responsibility of the practice to institute its workflow for data backup. 

We strongly recommend a strategy that requires the use of three (3) external hard drives. This is a common, best practice approach to ensuring the integrity of your ePHI. It is often referred to as the 3-Generation Backup. 

1. Drive 1: Take drive 1 (we'll call in the "Son) and plug it into the server for use. Be sure the backup utility is configured to use the external drive. 
2. Drive 2: Take Drive 2 (we'll name this one "Father) and put this drive in a secure, offsite location, perhaps a safe deposit box in a bank or a fireproof safe in your home.
3. Drive 3: Take Drive 3 (we'll name this one "Grandfather) and keep it on your person or in some other secure place for transport. An example of a secure place might be a lock box secured to the floor of a car trunk. 
4. As part of the morning office routine, after the backup process is complete, remove "Son" from the server and plug "Grandfather" into the server.
5. Transport "Son" to the offsite secure location and trade it out for "Father". 
6. Place "Father" in the secure transport locale.
7. Repeat this process everyday rotating each drive.

It is recommended that you make the 3-Generation drive rotation process a daily procedure. Be sure to check the utility for success or failure and take the appropriate follow-up actions. Always keep ePHI secure, whether it is on your person or in your car for transport. Create a schedule of this process in order to keep track of which drive is used on each day your clinic is open for business.

The final step of this procedure is likely to be the most resource intensive. Periodically, you must restore one of the backup data sets and test it to ensure it is a valid and functional backup. This is part of the contingency planning required by HIPAA. In other words, this is not an option. 

Should you have any questions or need assistance from a Support technician, please contact us at (800) 455-7627 option 2 or by submitting a ticket at www.soapware.com/ticket.

For more information and instructions on backing up your SOAPware data, please see: Backing Up SOAPware Data.