HIPAA Contingency Plan: Disaster Recovery and Business Continuity Plan

A contingency plan is a key standard as stipulated in the HIPAA Security Rule 164.308 (a) (7) (i) under administrative safeguards. The HIPAA contingency plans are meant to address the security principle of “availability.” This availability principle addresses risks that relate to business disruption with the aim of ensuring that authorized personnel can still access vital systems and data in spite of the disruption.

The Definition and Scope of HIPAA Contingency Plan

This contingency plan consists of laid out strategies on how to implement various technical measures, procedures, and plans to ensure the recovery of networking systems, data, and operations in the event of a disruption. Business Continuity Planning and Disaster Recovery planning is the development process of creating necessary measures and procedures in ensuring your business is able to resume its normal functions in the event of a crisis, disaster, or disruption. Well, the whole idea is to cut down on costs related to such risks and still remain functional to your suppliers, staff, and customers.

The core objective of the Business Impact Analysis is normally done at the beginning of continuity planning and disaster recovery with the main objective being to identify some of the places to be the worst-hit financially in the event of a disruption or disaster. The identification of sensitive systems is necessary to ensure the continuity of your business in case of such an event.

Definition of Contingency Plan in HIPAA Security Plan

Contingency plans are a required standard according to HIPAA Security rule under the Administrative Safeguards section. It is also notable that the HIPAA Contingency plan and requirements are a part of implementation specifications in the HIPAA laws under the Physical Safeguards Sections and the Technical Safeguards section.

HIPAA Citation HIPAA Security Rule Standard Implementation Specification Implementation
164.308(a)(7)(i) Contingency Plan
164.308(a)(7)(ii)(A) Data Backup Plan Required
164.308(a)(7)(ii)(B) Disaster Recovery Plan Required
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan Required
164.308(a)(7)(ii)(D) Testing and Revision Procedures Addressable
164.308(a)(7)(ii)(E) Applications and Data Criticality Analysis Addressable
164.310(a)(1) Facility Access Controls
164.310(a)(2)(i) Contingency Operations Addressable
164.310(d)(1) Device and Media Controls
164.310(d)(2)(iv) Data Backup and Storage Addressable
164.312(a)(1) Access Control
164.312(a)(2)(ii) Emergency Access Procedure Required

Data Backup Plan (required)164.308 (a)(7)(ii)(A)
The data backup plan is an implementation specification of the HIPAA security rule under the HIPAA Contingency plan within the Administrative Safeguards section. The goal of the Data backup plan is to formulate and implement necessary procedures needed to create and ensure the maintenance of retrievable copies of protected eHealth information. This procedure is done periodically to ensure that such information remains updated and will be up to date for the recovery and restoration time. Otherwise, for a business to be successful on this it would normally depend on its activities, procedures, and maintenance systems.

Data Backup Plan (as required) in Section 164.308 (a)(ii)(b)
One of the key implementation specifications is the disaster recovery plan of the HIPAA security rule under the HIPAA Contingency Plan standard in the Administrative Safeguard portion. The main objective of having a disaster recovery plan is to ensure that relevant procedures are put in place to ensure the restoration of any lost data. The disaster recovery plan consists of a contingency plan that will ensure that in the event of a fire, vandalism, system failure, or natural catastrophe the lost data can be restored.

The disaster recovery plan is applicable to all major events that may require a facility to be non-operational over a long period of time including disasters. Otherwise, the disaster recovery plan is a focused IT plan designed in a way a system can be restored to a former time or to the time of the emergency.

Therefore, the disaster recovery plan should be able to restore a business’s critical processes through the various actions, resources, and data needed to revamp a damaged system. It is important to create critical data and vital systems as well as documented details on procedures necessary to restore the information system to a former state.

Emergency Mode Operation Plan (Required) 164.308 (a) (7) (ii) (c)
The emergency mode operation plan is one of the necessary implementation specifications of the HIPAA security rule under the HIPAA Contingency Plan standard found in the Administrative Safeguards section.

The main aim of the emergency mode operation plan is to determine procedures necessary to ensure continuity of business processes and protection of eHealth information while operating in emergency mode. The emergency mode operation plan is a contingency plan that will ensure the continuity of the business continuity in the event of a system failure, catastrophe, and vandalism. It is also important to test the effectiveness of the disaster recovery plans, budgets, and schedules in an emergency mode operation.

Testing and Revision Procedures (Addressable) 164.308 (a) (7) (ii) (D)
The testing and revision procedures are a part and parcel of the implementation specification of the HIPAA Security Rule under the HIPAA Contingency Plan found in the Administrative Safeguards section.

The main objective of the testing and revision processes is to employ procedures necessary for periodic tests and contingency plan revisions. The whole process involves reviews of the periodic tests done on written contingency plans and watching out for potential weaknesses. These processes are necessary for effective testing.

Application and Data Criticality Analysis (Addressable) 164 (a) (7) (ii) (E)
Applications and data criticality analysis is a part of the implementation specification of the HIPAA Security Rule under the HIPAA Contingency Plan found in the Administrative Safeguards section.

The main objective of the application and data criticality analysis is to evaluate the specific applications necessary or needed to support the other contingency plan components. The idea is to assess the entities’ capacity to keep their data secure and the risks facing any data stored, received, transmitted in its systems. Otherwise, the whole process starts with an application and data inventory.

Contingency Operations (Addressable) 164.310 (a) (2) (i)
Contingency Operations is one of the implementation specifications under the HIPAA Security Rule in the Facility Controls Standards within the Physical Safeguards section. The aim of contingency operations is to employ procedures that will help the facility access the restored data that was lost in the emergency mode operation plan and discover recovery places in case of a real emergency.

Physical security is a vital component in the continuity of Business in the event of a disaster. Otherwise, necessary administrative controls must be put in place to ensure physical access to the contingency plans for procedures to work out as planned.

Data Backup and Storage (Addressable) 164.310 (d) (2) (iv)
Data backup and storage is among the implementation specification of the HIPAA Security Rule under the Device and Media controls standard within the Physical safeguards section. A covered entity must be able to develop a retrievable of the protected eHealth information when required to do so before moving the equipment. Otherwise, it is mandatory to ensure consistent updates on your backup since you will need this backup in case of a disaster.

Emergency Access Procedure (required) 164.312 (a) (2) (ii)
The emergency access procedure is an implementation specification requirement under the HIPAA security rule under the Access Control standard found in the Technical Safeguards section. The main aim of the emergency access procedure is to determine the appropriate procedures to be used to access protected eHealth information in the event of an emergency. It is important to note that emergency access plays a significant role in determining an organization’s efficiency in accessing its data in the event of a disaster.

Contingency Planning: 7 Steps
The National Institute of Standards and Technology (NIST) normally recommends the following steps as necessary in addressing contingency planning requirements. These key steps are:

  • Development of the contingency planning policy statement. An organization will be provided with the necessary authority and guidance by agency policy or formal department on how to formulate effective emergency plans.
  • Run a business impact analysis (BIA: The BIA assists in the identification and prioritization of crucial IT components and systems. An entity will also be issued a template for the BIA development.
  • Identify preventive controls: These are security measures necessary to arrest the effects of disruption on a system and overall related costs.
  • Development of recovery strategies: This should make the restoration process faster and efficient
  • Development of an IT contingency plan: It also consists of detailed procedures and guidance on the restoration of a damaged system.
  • Plan testing, practices, and training: This involves testing the plan and identifying planning loopholes and the training prepares your recovery personnel on how to activate the plan; both activities should assess your overall effectiveness on disaster preparedness.
  • Maintenance of the Plan: The plan is a living document that should be updated regularly to ensure that your system remains updated all the time.

How the Supremus Group can Help to be Compliant

The Supremus group is willing to help you in the following three ways:

  1. The first option is hiring the HIPAA team to complete the project for you and this is normally ideal in a situation whereby you need to be done with the HIPAA Security Plan fast but lack the relevant resources to do it. The only thing we would require from you is information on your current contingency plan, process, policies, and infrastructure if you have them.
  2. The second option is if you have employees or workers who are ready to dedicate their time to learning the Contingency processes but lack the methodology to do so. Therefore, you can hire a project manager to assist you.
  3. The third option is whereby you have all the Business Continuity Planning and BIA project resources but need to save time on documentation. Therefore, you can make use of our HIPAA Contingency Plan Template suite which has been an ideal option for many hospitals, consulting organizations, and HIPAA consultants. For sample documents, click here.

View HIPAA Security Policies and Procedures

Let us help you with your Contingency planning project.

Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591.

USER RATING: HIPAA Security Contingency Plan Consulting is rated 4.8 out of 5 by 991 users.