This entry is part 6 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Tell Me More:

The Data Backup and Storage implementation specification requires the covered entity and business associate to create an exact retrievable copy of electronic protected health information, when needed, before movement of equipment.

Several sections of the Final Rule address the need for backing up data, e.g., in the Contingency Plan standard. When equipment is moved, one should consider a process to be prepared for problems and, prior to such movement, should ensure a current backup is made of the information on that equipment.Data may also be lost or corrupted in movement – hence a good data backup plan is important.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • What data (systems, files, directories, folders) should be backed up when equipment is moved?
  • Are backups done before movement?
  • Who is responsible/authorized to retrieve the media?


Series Navigation<< 164.310(d)(2)(ii) Standard: Device and media controls – Media re-use164.310(a)(2)(i) Standard: Facility access controls – Contingency operations >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.