Policies and Disclosures

HIPAA - PHI/ePHI 

This policy reflects THE LEARNING SPOT CONSULTING SERVICES commitment to backup and securely store all ePHI on its information systems and electronic media.

SCOPE

The IT Department and/or any other department or workforce member that purchases, moves, maintains, and/or creates equipment or media capable of storing or transmitting ePHI.

DEFINITIONS  

Backup: The process of making an electronic copy of data stored in a computer system.  Examples of Back-ups Include:

  • Full/Complete Backup - a backup/image of all data, programs, and files on the system.

  • Incremental Backup - a backup that only contains the files that have changed since the most recent backup.

  • Snap-shot Backup (image backup) – a process to restore/recover the system at a particular state, at a particular point in time. 

Electronic Media: Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card. 

  • Or transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission. 

Protected Health Information (PHI): Individually identifiable health information that is received, created, maintained or transmitted by the organization, including demographic information, that identifies an individual, or provides a reasonable basis to believe the information can be used to identify an individual, and relates to: 

  • Past, present or future physical or mental health or condition of an individual.

  • The provision of health care to an individual.

  • Past, present, or future payment for the provision of health care to an individual.

  • Privacy and Security Rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years. 

Electronic Protected Health Information (ePHI): Protected health information (PHI) under HIPAA that is transmitted by or stored by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. 

  • Hardware: Physical parts of a computer, as distinguished from the data it contains or operates on, and the software that provides instructions for the hardware to accomplish tasks, such as the mechanical, magnetic, electronic, and electrical components making up a computer system. 

  • Off-Site: Any location separated from the building in which the backup was created.  It must be physically separate from the creating site.  The environment for off-site storage must meet appropriate security requirements as well as storage standards established by the manufacturer of the backup media. 

POLICY   

THE LEARNING SPOT CONSULTING SERVICES Security Officer will be responsible for implementing this policy and will ensure that further responsibility is properly assigned for the proper management of data.

THE LEARNING SPOT CONSULTING SERVICES Security Officer or designee is responsible for completing the backups and for ensuring effective training of the workforce members assigned to complete backups, for management of the backup media and for performing periodic testing of restored media. 

THE LEARNING SPOT CONSULTING SERVICES Security Officer or designee shall maintain a record of movements of hardware and electronic media containing ePHI and any person responsible therefore. 

DATA BACKUP

A backup, recovery and testing strategy should be determined based upon THE LEARNING SPOT CONSULTING SERVICES   Risk Analysis strategy. 

THE LEARNING SPOT CONSULTING SERVICES   shall create a retrievable, exact copy of ePHI before the movement of equipment.  In the event a system does not allow for an electronic backup, THE LEARNING SPOT CONSULTING SERVICES will develop an alternative method to create a copy of the ePHI contained on that system, or complete an analysis delineating alternate solutions for compliance (such as a printed copy). 

In order to protect the confidentiality, integrity, and availability of ePHI, THE LEARNING SPOT CONSULTING SERVICES completes backups every week.

THE LEARNING SPOT CONSULTING SERVICES will perform a daily backup of all systems that create, receive, maintain, or transmit ePHI.  While a vendor may specify or recommend a full backup, an incremental backup, or may not specify, the Security Officer will determine the frequency with which backups are performed, dependent upon each system.  

Data backup systems may be manual or automated. Automated systems electronically capture backup locations, date/time, etc. If the process is manual, documentation of the backup should include:

  • Site/location name

  • Name of the system

  • Type of data

  • Date & time of backup

  • Where backup stored (or to whom it was provided)

  • Signature of the individual that completed the backup

The data backup plan requires that all media used for backing up ePHI is stored in a physically secure environment, such as a secure, off-site storage facility. If backup media remains on-site, it must be in a physically secure location, different from the location of the computer systems it backed up in order to protect the backups from loss or damage. 

If an off-site storage facility or backup service is used, a Business Associate Agreement must be used to ensure that the Business Associate will safeguard the ePHI in an appropriate manner.

Stored data must be accessible and retrievable at all times and all data backups should be tested and data restored to ensure accuracy. 

When reusable media are used as the backup media refer to the “Device, Media, and Paper Record Sanitization for Disposal or Reuse” policy.

Data Backups should be tested and data restored, to assure accuracy. Documentation of backup testing, or restore logs, should be maintained and should capture the date and time the data was restored. Operational procedures for backup, recovery, and testing should be documented and periodically reviewed

Proper management of situations concerning data back-up/data recovery, such as emergencies or other occurrences, should be addressed in the Disaster Recovery Plans.

THE LEARNING SPOT CONSULTING SERVICES   will determine a record retention policy and data backup retention schedule. This schedule should include a timeline for the ultimate destruction (tapes maintained and destroyed) of storage media.

MEDIA

It is not possible or economically practical to control all media that enter and leave an organization.  THE LEARNING SPOT CONSULTING SERVICES   makes all reasonable and prudent efforts to control media entering and leaving the organization.  Workforce members are trained to handle media with PHI in a manner that protects the confidentiality of the data contained in it.  Media that contains PHI that is no longer useful or usable should be sanitized consistently with the “Device, Media, and Paper Record Sanitization for Disposal or Reuse” policy.

DOCUMENTATION

All documentation required by this policy will be maintained for a period of six years from the date of creation or the date when it was last in effect, whichever is later.  

VIOLATIONS

Failure to backup a system in the absence of a system failure is a violation of this policy and may result in corrective disciplinary action, up to and including termination of employment. 

Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment.  

Violation of this policy and procedures by others, including providers, providers' offices, business associates, and partners may result in the termination of the relationship and/or associated privileges.  

Violation may also result in civil and criminal penalties to THE LEARNING SPOT CONSULTING SERVICES as determined by federal and state laws and regulations related to loss of data. 

Violation may also result in liability to THE LEARNING SPOT CONSULTING SERVICES  related to loss of data.

EQUAL OPPORTUNITY EMPLOYMENT

THE LEARNING SPOT CONSULTING SERVICES is an Equal Opportunity Employer. 

Employment opportunities at THE LEARNING SPOT CONSULTING SERVICES are based upon one's qualifications and capabilities to perform the essential functions of a particular job. All employment opportunities are provided without regard to race, religion, sex, pregnancy, childbirth, or related medical conditions, national origin, age, veteran status, disability, genetic information, or any other characteristic protected by law.

This Equal Employment Opportunity policy governs all aspects of employment, including, but not limited to, recruitment, hiring, selection, job assignment, promotions, transfers, compensation, discipline, termination, layoff, access to benefits and training, and all other conditions and privileges of employment.
The Company will provide reasonable accommodations as necessary and where required by law so long as the accommodation does not pose an undue hardship on the business. This policy is not intended to afford employees any greater protections than those which exist under federal, state, or local law.

THE LEARNING SPOT CONSULTING SERVICES strongly urges the reporting of all instances of discrimination and harassment and prohibits retaliation against any individual who reports discrimination, harassment, or participates in an investigation of such report. THE LEARNING SPOT CONSULTING SERVICES will take appropriate disciplinary action, up to and including immediate termination, against any employee who violates this policy.