Under the HIPAA Security Rule administrative safeguards requirement, covered entities and business associates must develop HIPAA compliant contingency plans. The two major objectives of a HIPAA compliant contingency plan are to ensure: (1) the containment of damage or injury to, or loss of, property, personnel, and data; and (2) the continuity of the key operations of the organization.
Developing an effective HIPAA compliant contingency plan ensures that healthcare organizations return to normal operations as quickly as possible, and that the confidentiality, integrity, and availability of ePHI is safeguarded.
What are the Contents of a HIPAA Compliant Contingency Plan?
The HIPAA Security Rule requires that a HIPAA compliant contingency plan (also known as a “business continuity plan”) contain the following components:
- A Disaster Recovery Plan. A disaster recovery plan is focused on restoring an organization’s electronic protected health information (ePHI).
- A Data Backup Plan. A data backup plan focuses on regularly copying electronic protected health information (ePHI) to ensure it can be restored in the event of a loss or disruption.
- An Emergency Mode Operation Plan. This plan, also known as a continuity of operations plan, focuses on maintaining and protecting critical functions that protect ePHI security.
- An Application and Data Criticality Analysis. This component focuses on identifying what applications and data are critical (i.e., of the most importance) for the contingency plan.
- Procedures for Testing and Revision of Contingency Plans. Having effective procedures for testing your contingency plan allows you to identify deficiencies and make necessary corrections.
Considerations in Developing a HIPAA Compliant Contingency Plan
The Office for Civil Rights (OCR) – the arm of the Department of Health and Human Services (HHS) that enforces HIPAA regulations – has identified key HIPAA contingency operations planning steps. These include:
- Make HIPAA Compliant Contingency Planning a Formal Policy. The formal policy should provide the authority and guidance necessary to develop an effective contingency plan.
- Identify What is Critical. Identifying criticalities – the systems and data that are critical to your operation – enables you to prioritize contingency planning and minimize losses.
- Identify Risks, Threats, and Preventive Controls. This process consists of performing a Security Rule risk analysis to identify the various risks your business may face. The end result of a risk analysis can yield a robust list of potential threats, risks, and preventive controls.
- Create Contingency Procedures. This step involves establishing the specific guidelines, parameters, and procedures to be followed when enacting the contingency plan, and those to be followed for the recovery of systems and data. The procedures developed in the Disaster Recovery Plan, Emergency Mode Operation Plan, and Data Backup Plan form the backbone of the overall contingency plan. As you develop contingency procedures, be sure to:
- Remember the Overall Goal of a Contingency Plan. The goal is to maintain critical operations and minimize data loss.
- Define Specific Time Period Activity. The procedures for the overall contingency plan should define what must be done during the first hour, the first day, the first week, and so forth, of a disaster.
- Establish Plan Activation. The contingency plan should clearly state what events will trigger its activation, as well as who has the authority to activate the plan.
- Plain Language is Your Friend. The plan should be understandable to all types of employees, so that they will know what is required of them during contingency operations.
- Operationalize and Maintain the Plan. This step consists of integrating the plan into normal business operations. Integration is effected through:
- Communicate and share the plan and its individual roles and responsibilities with those in your organization.
- Establish a testing, or exercise, schedule for the plan. Testing and exercises are conducted to identify gaps and to ensure you have the information needed to update any deficiencies in the plan.
- Review the plan at regular intervals. Additionally, review the plan when there are technical, operational, or personnel changes in the organization.