164.308(a)(7)(ii)(B) - Contingency Plan –Disaster Recovery Plan - Establish (and implement as needed) procedures to restore any loss of data.


The customer is responsible for documenting organizational procedures related to data recovery. Amazon RDS documentation is located at: 

The customer should consider backing up all data to address any requirements related to the recovery of individual S3 objects, RDS database objects, or EBS files, file systems that are destroyed, modified, or overwritten by logical actions, and to mitigate any residual risk of data loss caused by AWS hardware failures.


In this architecture, ePHI storage is limited to the Amazon RDS database, Amazon S3 buckets, and potentially secondary EBS volumes attached to the application/web server EC2 instances. Full database recovery from snapshot or point-in-time can be initiated from the RDS console/API. The Amazon S3 managed service features inherent redundancy, so that no customer-initiated data recovery operation is required. Amazon EBS does not include volume backup of customer data.

Impact of Resource Type(s):