Risk: The practice of not having policies and procedures for the creation and secure storage of an electronic copy of ePHI that would be used in the case of system breakdown or disaster.
Explanation: Like any other form of data, ePHI may be lost in case of system breakdown or disaster, if a proper backup in not kept and maintained. Backup of an ePHI is important as it allows you to create and maintain the retrievable copies of ePHI in case of emergency. The exact retrievable copies of ePHI can be established and maintained in media like physical, removable media (e.g. CDs, USBs) or virtual media (e.g. cloud storage).
Primary Mitigation: Establish and implement policies and procedures for making copies of ePHI on either physical or virtual media that can be retrieved when there is a breakdown of system.
Secondary Mitigation: Make sure that the retrievable copies of ePHI are safe and protected against unauthorized use and disclosure.
Success Criteria: Being able to retrieve ePHI from the backup sources when the main source breaks or faces a disaster.