HIPAA Contingency Plan - Disaster Recovery and Business Continuity

The HIPAA Security Rule 164.308(a)(7)(i) identifies Contingency Plan as a standard under Administrative Safeguards. HIPAA Contingency plans address the “availability” security principle. The availability principle addresses business disruption threats–so authorized individuals can access vital systems and information when required. A HIPAA Contingency Plan is crucial for ensuring the security and confidentiality of healthcare information in case of unexpected events or disasters. The plan typically includes measures for data backup, disaster recovery, and emergency operations to maintain HIPAA compliance.

HIPAA Contingency Plan: Definition and Scope

Contingency planning/ Business Continuity Planning (BCP) is about a coordinated strategy involving plans, procedures, and technical measures to recover systems, operations, and data after a disruption. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are the overall processes of developing an approved set of arrangements and procedures to ensure your business can respond to a disaster and resume its critical business functions within a required time frame objective. The primary aim is to reduce the level of risk and cost to you and the impact on your staff, customers, and suppliers.

A Business Impact Analysis (BIA) is performed at the beginning of disaster recovery and continuity planning to identify the areas that would suffer the most significant financial or operational loss in the event of a disaster or disruption. A key objective is to identify all critical systems that are required for the continuity of the business. Further, a determination of the time it would take to recover such systems in the event of a loss.

Definition of Contingency Plan in HIPAA Security Regulation

Contingency Plan standard is defined within the Administrative Safeguards section of the HIPAA Security Rule. HIPAA Contingency plan-related requirements are also identified as implementation specifications in the Physical Safeguards section of the HIPAA laws as well as the Technical Safeguards section.

Item	HIPAA Citation	HIPAA Security Rule Standard Implementation Specification	Implementation
ADMINISTRATIVE SAFEGUARDS
	164.308(a)(7)(i)	Contingency Plan
	164.308(a)(1)(ii)(A)	Data Backup Plan	Required
	164.308(a)(1)(ii)(B)	Disaster Recovery Plan	Required
	164.308(a)(1)(ii)(C)	Emergency Mode Operation Plan	Required
	164.308(a)(1)(ii)(D)	Testing and Revision Procedures	Addressable
	164.308(a)(1)(ii)(E)	Applications and Data Criticality Analysis	Addressable
PHYSICAL SAFEGUARDS
	164.310(a)(1)	Facility Access Controls	–
	164.310(a)(2)(i)	Contingency Operations	Addressable
	164.310(d)(1)	Device and Media Controls	–
	164.310(d)(2)(iv)	Data Backup and Storage	Addressable
TECHNICAL SAFEGUARDS
	164.312(a)(1)	Access Control	–
	164.312(a)(2)(ii)	Emergency Access Procedure	Required

Data Backup Plan (Required)164.308(a)(7)(ii)(A)

The data backup plan is a required implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.

The objective of the data backup plan is to establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. The data backup plan is a documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information. Successful data backup and restores are sometimes dependent on business processes and “batch” activities.

Disaster Recovery Plan (Required)164.308(a)(7)(ii)(B)

The disaster recovery plan is a required implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.

The objective of a disaster recovery plan is to establish (and implement as needed) procedures to restore any loss of data. A disaster recovery plan is part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.

The disaster recovery plan applies to major, usually catastrophic, events that deny access to the normal facility for an extended period. A disaster recovery plan refers to an IT-focused plan designed to restore the operability of the target system, application, or computer facility at an alternate site after an emergency.

The disaster recovery plan defines the resources, actions, and data required to reinstate critical business processes that have been damaged because of a disaster. An inventory of all critical data and vital systems must be created as well as documentation of detailed procedures to facilitate the recovery of capabilities at an alternate site.

Emergency Mode Operation Plan (Required)164.308(a)(7)(ii)(C)

An emergency mode operation plan is a required implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.
The objective of an emergency mode operation plan is to establish (and implement as needed) procedures to enable the continuation of critical business processes for the protection of the security of electronic protected health information while operating in emergency mode. An emergency mode operation plan is part of an overall contingency plan that contains a process enabling an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure. In a manner similar to disaster recovery planning, budget for and schedule required resources for effective emergency mode operation plan testing.

Testing and Revision Procedures (Addressable)164.308(a)(7)(ii)(D)

Testing and revision procedures is an addressable implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.
The objective of testing and revision procedures is to implement procedures for periodic testing and revision of contingency plans. These testing and revision procedures are procedures for the processing periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary. These written testing and feedback mechanisms are the key to successful testing.

Applications and Data Criticality Analysis (Addressable) 164.308(a)(7)(ii)(E)

Applications and data criticality analysis is an addressable implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.

The objective of applications and data criticality analysis is to assess the relative criticality of specific applications and data in support of other contingency plan components. It is an entity’s formal assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores, and/or transmits. This procedure begins with an application and data inventory.

Contingency Operations (Addressable) 164.310(a)(2)(i)

Contingency operations is an addressable implementation specification defined within the Facility Access Controls standard in the Physical Safeguards section of the HIPAA Security Rule.

The objective of contingency operations is to establish (and implement as needed) procedures that allow facility access in support of the restoration of lost data under the disaster recovery plan and emergency mode operation plan in the event of an emergency.

Physical security is a critical aspect of disaster and business continuity planning. Administrative controls for physical access to enable contingency operations must be in place so recovery can proceed as defined in plans.

Data Backup and Storage (Addressable) 164.310(d)(2)(iv)

Data backup and storage is an addressable implementation specification defined within the Device and Media Controls standard in the Physical Safeguards section of the HIPAA Security Rule.

The covered entity must create a retrievable, exact copy of electronic protected health information, when needed, before the movement of equipment. Continual and consistent backup of data is required as one cannot be sure when an organization may experience some disaster that will require access to data that has been backed up to be back in operations. Data may also be lost or corrupted – hence a good data backup plan is important.

Emergency Access Procedure (Required) 164.312(a)(2)(ii)

Emergency access procedure is a required implementation specification defined within the Access Control standard in the Technical Safeguards section of the HIPAA Security Rule.

The objective of the emergency access procedure implementation specification is to establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Emergency access is a necessary part of access control and will be necessary under emergency conditions, although these may be very different from those used in normal operational circumstances.

Contingency Planning: 7 Steps

The National Institute of Standards and Technology (NIST) recommends following seven key steps to address the requirements of contingency planning. These seven key steps for contingency planning are:

1. Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user.
3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
6. Plan testing, training, and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

How can Supremus Group help your compliance Efforts?

We can help you in three different ways depending on your need, involvement, time, available resources, and budget.

OPTION 1: If you are in a hurry to complete the HIPAA Security Contingency Plan and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies, processes, and a current contingency plan if any.
OPTION 2: If you have internal staff members who can completely devote their time to this project but don’t know the methodology, we will provide a project manager to work with your team and help to complete the Contingency plan document.
OPTION 3: If you have all the necessary resources for Business Continuity Planning and BIA project but need to save time on documentation, you can use our HIPAA Contingency Plan Template Suite. Many IT Security consulting companies, HIPAA consultants, and hospitals are using our HIPAA Contingency plan templates in their projects.

Remember, the goal of a HIPAA Contingency Plan is to minimize the impact of disruptions on the confidentiality, integrity, and availability of healthcare information. Regularly review and update the plan to address evolving threats and changes in the healthcare environment.

Let us help you with your Contingency planning project.

Please contact us for more information at Bob@HIPAAcertification.net or call (515) 865-4591.

View HIPAA Security Policies and Procedures

HIPAA Contingency Plan: Disaster Recovery and Business Continuity Plan