The HIPAA Security Rule requires covered entities to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The administrative safeguard provision of the Security Rule requires organizations to implement contingency plans. Organizations must develop a HIPAA disaster recovery plan as part of this implementation process.

What Are the Elements of a HIPAA Disaster Recovery Plan?

The administrative safeguard contingency plan standard requires covered entities and business associates to establish, and implement as needed, policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI.

The following three specific plans must be implemented under the HIPAA Security Rule:

1. A data backup plan: A data backup plan consists of establishing and implementing procedures to create and maintain retrievable exact copies of electronic protected health information;
2. An emergency mode operation plan: An emergency mode operation plan requires that an organization establish, and implement as needed, procedures to enable continuation of critical business processes for the protection of the security of ePHI while operating in emergency mode; and
3. A disaster recovery plan: A HIPAA disaster recovery plan requires an entity to establish, and implement as needed, procedures to restore any loss of data.

The HIPAA Security Rule administrative safeguards provision does not specify the precise elements of a HIPAA disaster recovery plan. However, HIPAA disaster recovery plan best practices have evolved over the years, to the point where there are now commonly accepted components of a HIPAA disaster recovery plan. These components include:

• A communication plan: A disaster recovery plan should contain a procedure for how employees are to communicate with other employees, and with management, in the event of a disaster. The plan should indicate how a disaster should be reported, and who should be notified of a disaster. The plan should include employee contact information to allow for prompt reporting and notification. The plan should also describe each employee’s role in the days following the disaster. The plan should designate employee assignments, such as who will assess damage, and who will have overall responsibility for systems recovery; 
• A detailed asset inventory: The HIPAA disaster recovery plan should contain a detailed inventory of all computer workstations and their components, as well as scanners, tablets, phones, and printers that are regularly used by staff. Having an inventory can serve as a quick reference for insurance claims after a major disaster; you can give the claims adjuster the asset inventory along with photos of the inventory. This can accelerate the insurance claim process;
• An equipment plan: Desktop computers, laptop computers, printers, and other computer equipment can be damaged in the event of major storms, blackouts, or earthquakes. The HIPAA disaster recovery plan should describe how this equipment should be protected in the event of a disaster. This description should consist of various steps. For example, to prevent water damage, equipment should first be moved off the floor, then (if possible) moved into a room or area with no windows, and then, the equipment should be wrapped securely in plastic or other material to prevent water from getting in;
• A data restoration priority plan: This plan should outline what data functionality should be restored first in the event of a disaster. The plan should then outline the remaining order of priority for data restoration. Prioritization should reflect both legal and business concerns. Data required by law to be maintained or secured, such as PHI in the case of HIPAA, and injury and illness records in the case of the Occupational Safety and Health Act (“OSH Act”) should be prioritized for recovery. Restoration of data  – such as billing information and online appointment calendars – that is necessary for the business to continue at a minimum level of service, should also be prioritized. 
• A vendor communication and service restoration plan: When the disaster is over, you will want to restore services as quickly as possible. This requires prompt communication with vendors such as phone and internet providers, and electricity providers. The HIPAA disaster recovery plan should contain the contact information of all vendors, along with a description of when and how (e.g., telephone, Internet) each vendor is to be contacted. 

Having all of these components in the HIPAA disaster recovery plan will not matter if employees do not know where to locate the plan, or have not been trained on the plan’s elements. Therefore, healthcare organizations should ensure that the disaster recovery plan is made available to employees, and ensure that the plan is accessible at more than one location. Organizations with a single location should store a copy of the plan at an offsite location. Employees should know where the offsite location is. In addition, organizations should conduct periodic training on the disaster recovery plan so employees will know what is expected of them under the plan.